- From: Jonas Sicking <notifications@github.com>
- Date: Fri, 06 Apr 2018 03:49:59 +0000 (UTC)
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 6 April 2018 03:50:58 UTC
>From a security point of view, raising a different type of event when `ACAO: *` is used, but credentials are sent, sounds fine to me. One of the design constraints that we originally had was that CORS shouldn't make it possible to scan for existing servers behind firewalls. That was one of the reasons (or maybe even *the* reason) that we fire generic "network error" events for all types of errors. However if a special event is raised only for `ACAO: *`, then that would avoid that problem since such servers would be possible to find anyway. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/76#issuecomment-379140804
Received on Friday, 6 April 2018 03:50:58 UTC