- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 19 Jun 2014 11:44:52 +0200
- To: Garet Claborn <garet@approach.im>
- Cc: WebApps WG <public-webapps@w3.org>
On Tue, Jun 17, 2014 at 11:27 PM, Garet Claborn <garet@approach.im> wrote: > Some aspects of this proposal could most likely be enhanced and/or > simplified. There's quite a bit I do not know about the current state > of discussion in this area. Simply, I hope that we'll eventually have > a cleaner interface towards securing CORS and automating access across > networks. I might be missing something, but I don't see how these secure against the IIS bug. We could ignore that bug and put a warning sign in the specification, as Ian suggested back then. Is there sufficient usage of CORS to add the complexity? And, are server administrators okay with this being possible? The most attractive solution would be to do an OPTIONS * fetch of sorts against a given host. Because basically the entire preflight thing is a dance to figure out if the server knows about CORS. -- http://annevankesteren.nl/
Received on Thursday, 19 June 2014 09:45:19 UTC