Noobie question: isn't it Really Bad™ to mandate permissive CORS?

Hey all, sorry in advance for the noobie question. I’m reading through the Solid specification and one of my immediate thoughts was, “one does not simply mandate permissive CORS from all implementations. Doesn’t that open all servers up to widespread DDOS-via-XSS by default?”

That said, I don’t know much about WebACL. I suppose if ACLs are sufficiently cacheable and allow a similar granularity to CORS, it might be fine.

Can anyone help me understand how to think about this and conceptually board the WebACL train? :train: :smile:

Good question; the answer is that we do not need the protection mechanisms that CORS blocking provides, because we rely on explicit authentication mechanisms. Some insights at