- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 19 Feb 2015 12:22:20 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
Would this be allowed for both requests with credentials and requests without credentials? The security implications of the two are very different. / Jonas On Thu, Feb 19, 2015 at 5:29 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > When the user agent is about to make its first preflight to an origin > (timeout up to the user agent), it first makes a preflight that looks > like: > > OPTIONS * > Access-Control-Request-Origin-Wide-Cache: [origin] > Access-Control-Request-Method: * > Access-Control-Request-Headers: * > > If the response is > > 2xx XX > Access-Control-Allow-Origin-Wide-Cache: [origin] > Access-Control-Allow-Methods: * > Access-Control-Allow-Headers: * > Access-Control-Max-Age: [max-age] > > then no more preflights will be made for the duration of [max-age] (or > shortened per user agent preference). If the response includes > > Access-Control-Allow-Credentials: true > > the cache scope is increased to requests that include credentials. > > I think this has a reasonable tradeoff between security and opening up > all the power of the HTTP APIs on the server without the performance > hit. It still makes the developer very conscious about the various > features involved. > > The cache would be on a per requesting origin basis as per the headers > above. The Origin and Access-Control-Allow-Origin would not take part > in this exchange, to make it very clear what this is about. > > (This does not affect Access-Control-Expose-Headers or any of the > other headers required as part of non-preflight responses.) > > > -- > https://annevankesteren.nl/ >
Received on Thursday, 19 February 2015 20:23:19 UTC