- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 24 Mar 2016 11:12:01 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Thursday, 24 March 2016 18:12:37 UTC
Well, we could ask Chromium folks such as @foolip and @mikewest to set up measurement and find out to figure out how much CORS credentialed requests there are vs non-credentialed. The attack @sicking mentioned is that if you have `*` but also use a header as CSRF token, that token can now be spoofed by any other website, leading to CSRF vulnerabilities (which are almost exclusively a concern for credentialed requests). As for including more information in the specification, there's at least one open issue to that effect, #206, and I am certainly open to that as I already mentioned elsewhere. It'll happen quicker with specific PRs or issues. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/251#issuecomment-200954401
Received on Thursday, 24 March 2016 18:12:37 UTC