- From: Nottingham, Mark <mnotting@akamai.com>
- Date: Tue, 9 Jun 2015 05:18:13 +0000
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: Martin Thomson <martin.thomson@gmail.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
> On 9 Jun 2015, at 2:54 pm, Anne van Kesteren <annevk@annevk.nl> wrote: > > On Tue, Jun 9, 2015 at 6:42 AM, Martin Thomson <martin.thomson@gmail.com> wrote: >> The security properties bother me a little. Alt-Svc is showing us >> that we can't just define a header field like that without some >> serious analysis. > > Same goes for a site-wide file. See crossdomain.xml. However, either > coupled with "credentials mode = omit" seems okayish... Mark, do these > CDN requests mention credentials? Will look into it. Supporting without credentials (and leaving future extensibility for the possibility) would certainly be a good start. Cheers, -- Mark Nottingham mnot@akamai.com https://www.mnot.net/
Received on Tuesday, 9 June 2015 05:18:46 UTC