W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: CORS performance proposal

From: Nottingham, Mark <mnotting@akamai.com>
Date: Tue, 9 Jun 2015 04:53:12 +0000
To: Martin Thomson <martin.thomson@gmail.com>
CC: Bjoern Hoehrmann <derhoermi@gmx.net>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
Message-ID: <FA985605-C4E9-40C2-9E20-E8DC1A4F17C8@akamai.com>

> On 9 Jun 2015, at 2:42 pm, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 8 June 2015 at 21:30, Nottingham, Mark <mnotting@akamai.com> wrote:
>> A header denoting site-wide metadata would work for this too, of course, if folks were comfortable with the security properties of doing that (as well as the potential response overhead).
> 
> The security properties bother me a little.  Alt-Svc is showing us
> that we can't just define a header field like that without some
> serious analysis.

Indeed. Also, an intermediary cache (whether a proxy or a CDN) would need to monitor all of the headers sent back for a given origin to figure out the applicable policy, and rewrite responses accordingly. It wouldn't just work out of the box like a .well-known would.

Cheers,


--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/
Received on Tuesday, 9 June 2015 04:53:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC