W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2015

Re: CORS performance proposal

From: Nottingham, Mark <mnotting@akamai.com>
Date: Tue, 9 Jun 2015 05:18:13 +0000
To: Anne van Kesteren <annevk@annevk.nl>
CC: Martin Thomson <martin.thomson@gmail.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
Message-ID: <44683F99-E21C-47AF-8DD9-A504906B913E@akamai.com>

> On 9 Jun 2015, at 2:54 pm, Anne van Kesteren <annevk@annevk.nl> wrote:
> 
> On Tue, Jun 9, 2015 at 6:42 AM, Martin Thomson <martin.thomson@gmail.com> wrote:
>> The security properties bother me a little.  Alt-Svc is showing us
>> that we can't just define a header field like that without some
>> serious analysis.
> 
> Same goes for a site-wide file. See crossdomain.xml. However, either
> coupled with "credentials mode = omit" seems okayish... Mark, do these
> CDN requests mention credentials?

Will look into it. Supporting without credentials (and leaving future extensibility for the possibility) would certainly be a good start.

Cheers,


--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/
Received on Tuesday, 9 June 2015 05:18:46 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:31 UTC