- From: roryhewitt <notifications@github.com>
- Date: Wed, 23 Mar 2016 12:31:15 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Wednesday, 23 March 2016 19:31:44 UTC
Hmmm. If allowing `Access-Control-Allow-Headers: *` in credentialed requests **does** indeed open up any additional security holes, what are they (to be clear, I am assuming that forbidden headers are not allowed in any case)? What I mean is that it's great that we're discussing introducing new functionality to make CORS more usable, but it's a shame that we're also limiting it to a subset of applications. If there is a valid reason to do this (_actual_ quantifiable security risk), that makes sense. I just don't see the specific risk vector here. Basically, what specific security issue is introduced by allowing this? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/251#issuecomment-200508396
Received on Wednesday, 23 March 2016 19:31:44 UTC