W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: CORS performance

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 17 Feb 2015 20:43:59 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
Message-ID: <j567eap5b5hvdtvdkig8pjh6ff3pfg2vjd@hive.bjoern.hoehrmann.de>
* Anne van Kesteren wrote:
>On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
>> Individual resources should not be able to declare policy for the whole
>> server, ...
>
>With HSTS we gave up on that.

Well, HSTS essentially removes communication options, while the intent
of CORS is to add communication options. I don't think you can compare
them like that. HSTS is more like a redirect and misconfiguration may
result in denial of service, while CORS misconfiguration can have more
far-reaching consequences like exposing user information.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
Received on Tuesday, 17 February 2015 19:44:39 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC