1

I've been learning about the Same Origin Policy. If you just want to access public JSON content, you have to use a workaround, such as CORS, reverse-proxy, and JSONP.

If there were a way in ECMAscript for a script to explicitly ask the browser to send an unauthenticated request, scripts could access public content while browsers wouldn't have to worry about cookies being misused.

Things are rarely so simple, and I'm sure there's a reason why such functionality doesn't exist. I don't know the topic well enough to think of it, though.

Improve this question
1
  • CORS is how the content indicates that it is public. It's not a workaround.
    – OrangeDog
    CommentedAug 6, 2016 at 20:13

1 Answer 1

Reset to default
2

... ask the browser to send an unauthenticated request

The browser don't know how authentication is done by the server. It can be done with session cookies, client certificates, the clients source IP address or simply because the client is able to reach the server at all.

For example you often have a company Wiki or bug tracker inside the companies intranet, i.e. not directly reachable from outside. If an attacker would be able to make an "unauthorized" (i.e. no cookies) XMLHTTPRequest to these internal resources from an external page (for example using a targeted advertisement) then the attacker could exfiltrate important internal information from the company.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.