Re: CORS performance

* Jonas Sicking wrote:
>We most likely can consider the content-type header as *not* "custom".
>I was one of the people way back when that pointed out that there's a
>theoretical chance that allowing arbitrary content-type headers could
>cause security issues. But it seems highly theoretical.
>
>I suspect that the mozilla security team would be fine with allowing
>arbitrary content-types to be POSTed though. Worth asking. I can't
>speak for other browser vendors of course.

I think the situation might well be worse now than it was when we first
started discussing what is now "CORS". In any case, this would be an ex-
periment that cannot easily be undone, browser vendors would not pay the
bill if there are actually large scale security vulnerabilities opened
up by such a change, and I do not really see notable benefits in con-
ducting such an experiment.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 

Received on Thursday, 19 February 2015 22:00:10 UTC