NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Hi all, An honest (and perhaps innocent) question - if a server is already public and read-only, what is there to lose by enabling CORS? The cross-origin security constraints exist for the security of the client (browser), not the server. You could after all be accessing the server through something that isn't a browser at all. However, if a server requires logins, and/or allows changes to the server to be made through the web interface, then CORS is perhaps more of an issue (most of the examples in the website Dennis quotes are around these use cases). >From that same website, the risk of allowing CORS for a public read-only site >appears to be that an attacker could use users' web browsers to perform a >distributed denial-of-service attack, which is surely already possible anyway >(and is why many sysadmins implement throttling or some other strategy). Cheers, Jon (not a security expert or a sysadmin!)
thredds archives: