Re: CORS restrictions on preflight (too) strict? from Miel Vander Sande (UGent-imec) on 2018-08-06 (public-webappsec@w3.org from August 2018)

From: Miel Vander Sande (UGent-imec) <Miel.VanderSande@UGent.be>
Date: Mon, 6 Aug 2018 09:03:33 +0000
To: Daniel Veditz <dveditz@mozilla.com>
CC: "Ruben Verborgh (UGent-imec)" <Ruben.Verborgh@UGent.be>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Herbert Van de Sompel <hvdsomp@gmail.com>
Message-ID: <3F839746-6E56-4DB4-82E8-DCAE4777399A@ugent.be>

Thanks for the clarification all. I looked over the github issue Ruben created and thought no discussion was held since the email.
I’ll follow this up with the fetch developments.

Best regards,

Miel Vander Sande
Postdoctoral Researcher at IDLab, Ghent University, in collaboration with imec

AA Tower | Technologiepark 19 9052 Ghent
www.idlab.technology<http://www.idlab.technology>
@Miel_vds




On 4 Aug 2018, at 02:14, Daniel Veditz <dveditz@mozilla.com<mailto:dveditz@mozilla.com>> wrote:

On Fri, Aug 3, 2018 at 4:21 PM, Ruben Verborgh (UGent-imec)
<Ruben.Verborgh@ugent.be<mailto:Ruben.Verborgh@ugent.be>> wrote:
I think Ruben went wrong trying to argue all Accept-* headers are safe.

I still haven't been proven wrong, but I get your point.

Yeah I'm not judging the merits, just noting it made the issue bigger
and added friction.

-Dan Veditz

Received on Monday, 6 August 2018 09:05:07 UTC