- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 19 Mar 2013 11:11:42 -0400
- To: Mike West <mkwst@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>, "dveditz@mozilla.com" <dveditz@mozilla.com>
On Tue, Mar 19, 2013 at 10:54 AM, Mike West <mkwst@google.com> wrote: > There is not a guarantee that the report URIs are same-origin, though I > believe Mozilla enforces that requirement (Daniel? Can you confirm?). > > WebKit uses the same mechanism for these requests as used for hyperlink > auditing, which has similar requirements. Can you elaborate on the value of > adding a CORS preflight to the mix? The problem is that you are doing something that was not possible thus far and thus it may have security implications. That's whole reason why CORS requires a preflight. Hyperlink auditing seems quite constrained, but yeah, I did forget that does something that <form> does not allow. Then again, I'm not sure that's a reason to open this up even further. -- http://annevankesteren.nl/
Received on Tuesday, 19 March 2013 15:12:10 UTC