Timeline for Why is the Access-Control-Allow-Origin header necessary?
Current License: CC BY-SA 3.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 10, 2015 at 7:01 | comment | added | Anonymous Platypus | You can read about Clickjacking to understand a different possibility of exploitation. :) | |
| Jul 30, 2014 at 13:19 | comment | added | Alf Eaton | There are also other services that use IP address ranges to restrict access (such as academic publishers which control access to content using university IP address ranges). If anonymous cross-domain requests were allowed everywhere, any web page could fetch and read that content if the client is within the range of allowed IP addresses. | |
| Oct 18, 2013 at 16:37 | vote | accept | Mark Amery | ||
| Oct 18, 2013 at 15:58 | vote | accept | Mark Amery | ||
| Oct 18, 2013 at 16:37 | |||||
| Oct 18, 2013 at 15:50 | comment | added | SilverlightFox | @apsillers Yes, that sums up my answer nicely. | |
| Oct 18, 2013 at 15:41 | comment | added | apsillers |
So, if I might summarize: a browser client could act as an intermediary to help a malicious server reach some destination resource R, normally accessible to only you. Normally, we consider the case where R is protected by a cookie-based auth token system, but you present a situation in which R is protected by network topology instead. The OP's imagined browser (which always assumes A-C-A-O:*) would violate network-topology-based protection.
|
|
| Oct 18, 2013 at 15:00 | history | answered | SilverlightFox | CC BY-SA 3.0 |