elf-pavlik
commented
10 years ago :+1: @deanjerkovich would you like to write an initial draft?
Open deanjerkovich opened 10 years ago
elf-pavlik
commented
10 years ago :+1: @deanjerkovich would you like to write an initial draft?
deanjerkovich
commented
10 years ago @elf-pavlik sure, is a few paragraphs too much?
elf-pavlik
commented
10 years ago @deanjerkovich i would say just write i here as you think and everyone interested can help with refining... maybe just keep editing you comment, create gits, create wiki page, or even just link to etherpad... @monsur what do you suggest for work on such content together? oh... preferably maybe just turn this issue into a pull request :smile: http://opensoul.org/2012/11/09/convert-a-github-issue-into-a-pull-request/ (how i do it) or https://issue2pr.herokuapp.com/ (which i didn't use myself)
monsur
commented
10 years ago @deanjerkovich, can you provide a rough outline of the things you'd like to highlight? Since the server is mostly in control of a CORS request, I don't see CORS itself as being a danger. However server authors do still need to keep standard precautions in place, such as CSRF protection (especially for non-preflighted requests). Were there other security dangers you had in mind? Thanks!
On Tue Dec 10 2013 at 4:31:47 AM, ☮ elf Pavlik ☮ notifications@github.com wrote:
@deanjerkovich https://github.com/deanjerkovich i would say just write i here as you think and everyone interested can help with refining... maybe just keep editing you comment, create gits, create wiki page, or even just link to etherpad... @monsur https://github.com/monsur what do you suggest for work on such content together? oh... preferably maybe just turn issue into a pull request [image: :smile:] http://opensoul.org/2012/11/09/convert-a-github-issue-into-a-pull-request/(how i do it) or https://issue2pr.herokuapp.com/ (which i didn't use myself)
— Reply to this email directly or view it on GitHubhttps://github.com/monsur/enable-cors.org/issues/70#issuecomment-30214591 .
I can see why everyone loves CORS, but as a work-around to one of the most fundamental security boundaries of the modern web (SOP), I think it would be very prudent to at least discuss some of the potential pitfalls and dangers associated with CORS.