- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 19 Feb 2015 23:39:12 +0100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
* Martin Thomson wrote: >On 20 February 2015 at 00:29, Anne van Kesteren <annevk@annevk.nl> wrote: >> Access-Control-Allow-Origin-Wide-Cache: [origin] > >This has some pretty implications for server deployments that host >mutual distrustful applications. Now, these servers are already >pretty well hosed from other directions, but I don't believe that >there is any pre-existing case where a header field set in a request >to /x could affect future requests to /y. > >An alternative would be to use /.well-known for site wide policies. The proposal is to use `OPTIONS * HTTP/1.1` not `OPTIONS /x HTTP/1.1`. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
Received on Thursday, 19 February 2015 22:39:41 UTC