CORS question from Brandon Sterne on 2013-02-05 (public-web-security@w3.org from February 2013)

From: Brandon Sterne <brandon@hackmill.com>
Date: Tue, 5 Feb 2013 13:38:15 -0800
To: public-web-security@w3.org
Message-ID: <CADXmT7DN+gcuLdrAT=+6r_WnW2aitDwez6xUbRooD+o4MtC9hg@mail.gmail.com>

Hey guys,

Co-workers of mine were trying to understand the treat model of CORS, and I
was having trouble articulating some of the particular risks that the spec
attempts to avoid.  Why does the OPTIONS pre-flight request never carry
credentials?

Thanks,
Brandon

Received on Tuesday, 5 February 2013 22:10:44 UTC