W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Why preflight per-resource rather than per-origin?

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 18 Dec 2009 13:55:08 +0100
To: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.u44wt6gb64w2qv@annevk-t60>
On Thu, 17 Dec 2009 22:24:56 +0100, Mark S. Miller <erights@google.com>  
> Despite the costs of doing preflight opt-in on a per-resource basis  
> rather
> than a per-origin basis, to meet its security goals, CORS proposes to do
> preflight on a per-resource basis. I have seen the rationale for this  
> stated
> in bits and pieces. Can anyone point me at a reasonably self contained
> statement for why we need preflight on a per-resource rather than a
> per-origin basis? If there's nothing adequate to point at, could someone
> state a reasonably self contained rationale for this? Thanks.

We are concerned that a per-origin model would not be implemented  
correctly. In addition it would be somewhat of a pain in case of different  
services maintained by different parties hosted on a single origin which  
we expect to be reasonably common.

Anne van Kesteren
Received on Friday, 18 December 2009 12:55:50 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC