Hacker News new | comments | show | ask | jobs | submit login

If the site accepts httpsb it can as well support the Origin header [0] and the problem is solved.

[0]: https://wiki.mozilla.org/Security/Origin




The whole point is to allow any site to access any other site, just like plain TCP sockets, without stealing your cookies.

If the site wants to access google.com with its own cookies, fine, why not?


Could you elaborate on the "stealing your cookies" part?

Cookies are sent only to the origin that set them and (except XSS attacks) are not revealed to anyone else. So who exactly is stealing them?


Well, currently, nothing. But currently, the web is completely broken.

If you want web-applications to be powerful, and open, you also need to be able to have any web application to access any URL.

Why should only mail.google.com be able to access my emails, and not also my-little-opensource-webmail.com ?

To faciliate that, without also adding cookie stealing back in, you need to allow any website to open standard TCP sockets.




Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: