No, it doesn't require paying Google. And if you're premising your argument on an assumption that enterprises don't have to actively manage their software and networks, I think you're gonna have a bad time.
-
-
First, the Chrome OS thing is both false and not germane. The rest just feels very FUDy. Yes, what I'm suggesting would open up a new hole. However, it is narrowly defined as additional exposure (i.e. read vs. blind GET) to *already* vulnerable systems.
0 replies 0 retweets 1 like -
While I'm obviously pro enterprise policy, I think we need to be convinced that this is Mostly Harmless without policy, perhaps with CORS-RFC1918 as a pre-req. But if we're going to talk CORS, why not just introduce a CORS-Anonymous spec? What's the use-case?
1 reply 0 retweets 0 likes -
The idea is to make it easy for sites to access to public resources, instead of forcing them to proxy everything through their own servers like they do today. That's why it would have to be opt-out (via default restrictions, enterprise policy, origin policy, header, etc.).
2 replies 0 retweets 1 like -
for what sorts of public resources exactly? I assume you're not just talking about CDNs? is the intent to do things like "generate link previews in a messenger client-side"?
1 reply 0 retweets 0 likes -
No, by "public" I'm literally referring to anything that I could hit with an anonymous HTTP GET from a random host sitting outside of your network. That's the kind of stuff that people proxy all over the place today.
1 reply 0 retweets 1 like -
can you be more specific than "all over the place"? which proxying usecases do you want to replace? AFAIU some sites specifically use a proxy for privacy reasons, and for others (like messaging sites), letting the sending client generate the preview causes authenticity problems
2 replies 0 retweets 0 likes
[inb4 webpackage]
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.