Re: CORS performance proposal from Martin Thomson on 2015-06-09 (public-webapps@w3.org from April to June 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 8 Jun 2015 21:42:53 -0700
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
Message-ID: <CABkgnnWD58a60dPE8WCpNXs7XOftpohaPgnnruJraaQWGCJa+w@mail.gmail.com>

On 8 June 2015 at 21:30, Nottingham, Mark <mnotting@akamai.com> wrote:
> A header denoting site-wide metadata would work for this too, of course, if folks were comfortable with the security properties of doing that (as well as the potential response overhead).


The security properties bother me a little.  Alt-Svc is showing us
that we can't just define a header field like that without some
serious analysis.

Received on Tuesday, 9 June 2015 04:43:23 UTC