[rtpg]

I understand what you're saying, but plenty of websites resolve this by having an in-browser OAuth flow, and then working off of an API. It's not like APIs are asking for CORS stuff in general, just cookie auth to the third party server requires CORS.

If a third-party webapp wanted to access Reddit, an auth flow that gets API tokens from it and then stories those for usage gets this working (in the universe in which Reddit wants this to happen of course). You still get CORS protection from the general drive-by issues, and you'll need an explicit auth step on a third party site (but that's why OAuth sends you to the data provider's website to then be redirected)

[jakear]

I don’t think you do get what I’m saying. If an Origin wants to be accessed by other Origins there are plenty of ways to do that, that much should be obvious.

I’m talking about the case when the User wants origin A to render data origin B has, but origin B doesn’t want that. You’d expect the User Agent to act on the User’s behalf and hand B’s data to A after confirming with the User that is their intention.

But instead the User Agent totally disregards the User and exclusively listens to origin B. This prevents the User from rendering the data in the more accessible/secure/privacy-preserving/intuitive way that origin A would have provided.

Strange to see all the comments arguing that in fact the browser ought to be an Origin Agent.

[rtpg]

> Strange to see all the comments arguing that in fact the browser ought to be an Origin Agent

Funny

One universe I could see is the browser allowing a user to grant cross origin cookies when wanted. Though even then a site B that really doesn’t want this can stick CSRF tokens in the right spots and that just falls apart immediately

I imagine you understand the security questions at play here right? Since a user going to origin A might not know what other origins that origin A wants to reach out to.

CSRF mitigations mean that origins could still block things off even without CORS, but it’s an interesting thought experiment

[jakear]

Can they stick CSRF tokens in the right spot under this model? The typical CSRF mitigations require other origins to not be able to access the HTML of the page (as they just inject a hidden form field or similar). If the cross-origin has full access to the page’s resources they ought to be able to emulate the environment of the page as viewed in-origin quite accurately.

Worth noting this model would introduces no new holes - everything I ask for is already possible when running a native application.

[rtpg]

I get what you're saying w/r/t CSRF. While every app could be different, in practice most websites do real bog-standard CSRF tokens, and I could see a user agent be able to get things working with like 95% of websites. Though I could think of many schemes to obfuscate things dynamically if you are motivated enough! But I like the idea of a user agent that is built around making it easier for you to just get "your" data in these ways.

> introduces no new holes - everything I ask for is already possible when running a native application.

A native application involves downloading a binary and installing it on your machine. Those involve a higher degree of trust than, say, clicking on a random URL. "I will read this person's blog" vs "I will download a binary to read this preson's blog" are acts with different trust requirements. At least for most people.

I suppose in a somewhat ironic way the iOS sandbox makes me feel more comfortable downloading random native apps but it probably really shouldn't! The OS is good about isolating cookie access for exactly the sort of things you're talking about (the prompt is like "this app wants to access your data for website.com)), but I should definitely be careful