W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: CORS, Preflight caching and Access-Control-Policy-

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 19 Jun 2014 11:44:52 +0200
Message-ID: <CADnb78iLDz0epJEY64TLqZS8SFX=jfY-jjs_-aML8t09Sh-C2Q@mail.gmail.com>
To: Garet Claborn <garet@approach.im>
Cc: WebApps WG <public-webapps@w3.org>
On Tue, Jun 17, 2014 at 11:27 PM, Garet Claborn <garet@approach.im> wrote:
> Some aspects of this proposal could most likely be enhanced and/or
> simplified. There's quite a bit I do not know about the current state
> of discussion in this area. Simply, I hope that we'll eventually have
> a cleaner interface towards securing CORS and automating access across
> networks.

I might be missing something, but I don't see how these secure against
the IIS bug.

We could ignore that bug and put a warning sign in the specification,
as Ian suggested back then. Is there sufficient usage of CORS to add
the complexity? And, are server administrators okay with this being
possible?

The most attractive solution would be to do an OPTIONS * fetch of
sorts against a given host. Because basically the entire preflight
thing is a dance to figure out if the server knows about CORS.


-- 
http://annevankesteren.nl/
Received on Thursday, 19 June 2014 09:45:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:25 UTC