- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 18 Dec 2009 13:55:08 +0100
- To: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
On Thu, 17 Dec 2009 22:24:56 +0100, Mark S. Miller <erights@google.com> wrote: > Despite the costs of doing preflight opt-in on a per-resource basis > rather > than a per-origin basis, to meet its security goals, CORS proposes to do > preflight on a per-resource basis. I have seen the rationale for this > stated > in bits and pieces. Can anyone point me at a reasonably self contained > statement for why we need preflight on a per-resource rather than a > per-origin basis? If there's nothing adequate to point at, could someone > state a reasonably self contained rationale for this? Thanks. We are concerned that a per-origin model would not be implemented correctly. In addition it would be somewhat of a pain in case of different services maintained by different parties hosted on a single origin which we expect to be reasonably common. -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 18 December 2009 12:55:50 UTC