You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -363,7 +363,7 @@ in a browser, the browser will send an extra warning HTTP header, the Origin hea
363
363
```
364
364
Origin: https://scripts.example.com:8080
365
365
```
366
-
(For background, see also [Backgrounder on Same Origin Policy and CORS](https://sold.github.io/web-access-control-spec/Background))
366
+
(For background, see also [Backgrounder on Same Origin Policy and CORS](https://solid.github.io/web-access-control-spec/Background))
367
367
Note that the origin comprises the protocol and the DNS and port but none of the path,
368
368
and no trailing slash.
369
369
All scripts running on the same origin are assumed to be run by the same
@@ -385,13 +385,13 @@ the origin MUST be allowed access*
385
385
386
386
Note it is a really good idea to make it clear both in the text of the status message and in the body of
387
387
the message the difference between the user not being allowed and the web app they are using
388
-
not bing trusted.
388
+
not being trusted.
389
389
390
390
** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials.
391
391
392
392
#### Adding trusted web apps.
393
393
394
-
The authorization of trusted web app is a running battle between readers and writers on the web, and manevalent parties trying to break in to get unauthorized access. The history or Cross-Site Scripting attacks and the introduction of the Same Origin Policy is not detailed here, The CORS specification in general prevents any web app from accessing any data from or associated with a different origin. The web server can get around CORS. It is a pain to to do so, as it involves the server code echoing back the Orin header in the ACAO header, and also it must be done only when the web app in question actually is trustworthy.
394
+
The authorization of trusted web app is a running battle between readers and writers on the web, and malevolent parties trying to break in to get unauthorized access. The history or Cross-Site Scripting attacks and the introduction of the Same Origin Policy is not detailed here, The CORS specification in general prevents any web app from accessing any data from or associated with a different origin. The web server can get around CORS. It is a pain to to do so, as it involves the server code echoing back the Origin header in the ACAO header, and also it must be done only when the web app in question actually is trustworthy.
395
395
396
396
In solid a maxim is, you have complete control of he data. Therefore it is up to the owner of the data, the publisher, the controller of the ACL, or more broadly the person running the solid server, to specify who gets access, be it people or apps. However another maxim is that you can chose which app you use. So of Alice publishes data, and Bob want to use his favorite app, then how does that happen?
397
397
@@ -524,7 +524,7 @@ described here, will remain the same
524
524
525
525
## See also
526
526
527
-
[Background on CORS](https://sold.github.io/web-access-control-spec/Background)
527
+
[Background on CORS](https://solid.github.io/web-access-control-spec/Background)
0 commit comments