W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: CORS performance proposal

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 20 Feb 2015 10:05:13 +0100
Message-ID: <CADnb78heLh1PCh3UbK73c4LdwoZ7XUXpWDqQj2Kst7qbrwzbRQ@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On Thu, Feb 19, 2015 at 9:22 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> Would this be allowed for both requests with credentials and requests
> without credentials? The security implications of the two are very
> different.

Yes, but the latter requires the Access-Control-Allow-Credentials
header to be included in the response.

An alternative is that we attempt to introduce
Access-Control-Policy-Path again from 2008. The problems you raised
seem surmountable. URL parsing is defined in more detail these days
and we could simply ban URLs containing escaped \ and /.

Received on Friday, 20 February 2015 09:05:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:44 UTC