Re: Why preflight per-resource rather than per-origin?

On Thu, 17 Dec 2009 22:24:56 +0100, Mark S. Miller <erights@google.com>  
wrote:
> Despite the costs of doing preflight opt-in on a per-resource basis  
> rather
> than a per-origin basis, to meet its security goals, CORS proposes to do
> preflight on a per-resource basis. I have seen the rationale for this  
> stated
> in bits and pieces. Can anyone point me at a reasonably self contained
> statement for why we need preflight on a per-resource rather than a
> per-origin basis? If there's nothing adequate to point at, could someone
> state a reasonably self contained rationale for this? Thanks.

We are concerned that a per-origin model would not be implemented  
correctly. In addition it would be somewhat of a pain in case of different  
services maintained by different parties hosted on a single origin which  
we expect to be reasonably common.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Friday, 18 December 2009 12:55:50 UTC