- From: Jonas Sicking <notifications@github.com>
- Date: Mon, 18 Apr 2016 14:14:49 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/210/211581896@github.com>
@bifurcation I still have some concerns that any syntax for allowing per-directory policies. As I mentioned in [my comment above](https://github.com/whatwg/fetch/issues/210#issuecomment-179561072), at least at the time when we designed CORS, there were servers that had some quite odd handling of certain characters. The result was that when a client made requests to `/dir1/<special characters>/dir2/script.cgi`, the server would launch `/dir2/script.cgi`. What happened was that the client interpreted the "special characters" as just any other characters, and thus as simply a directory name. However the server interpreted the "special characters" as ".." or "/". This wasn't some obscure server, but one of the more prevalent servers at the time. Which is also why I'm reluctant to get into details about what the "special characters" or the server was in a public forum. Happy to provide more details over private emails. It's certainly possible that this problem isn't common enough any more that we need to worry about it. After all, this feature is opt-in, so we can simply rely on server admins knowing what they are doing and not opting in to per-directory policies on affected servers. But since this problem killed per-directory policies in CORS v1, I wanted us to at least be intentional about this decision if we're going back on it now. Also, I'm still quite nervous about this supporting requests with credentials. It's a slightly smaller footgun than the widely-misused crossdomain.xml feature in flash. But only slightly smaller. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/210#issuecomment-211581896
Received on Monday, 18 April 2016 21:15:17 UTC