- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 24 Feb 2015 12:25:03 +0100
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Dale Harvey <dale@arandomurl.com>
On Mon, Feb 23, 2015 at 8:42 PM, Jonas Sicking <jonas@sicking.cc> wrote: > On Mon, Feb 23, 2015 at 11:06 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> That combined with requiring to list >> the explicit origin has worked well for CORS so far. > > This could potentially help. > > I don't remember the details of how/why people screwed up with > crosssite.xml. But if the problem was that people hosted multiple > services on the same server and only thought of one of them when > writing a policy, then this won't really help very much. http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/ seems to support that. > Do we have any data on how common it is for people to use CORS with > credentials? My impression is that it's far less common than CORS > without credentials. I don't have data. It seems we don't have telemetry for this in Gecko. Anyone else? I would also suspect that Access-Control-Allow-Origin: * is more common. > If that's the case then I think we'd get most of the functionality, > with essentially none of the risk, by only allowing server-wide > cookie-less preflights. If we only do it for this, could we combine that feature with the existing preflight then? Support a "Access-Control-Allow-Origin-Wide: true" header or some such that's mutually exclusive with "Access-Control-Allow-Credentials: true". -- https://annevankesteren.nl/
Received on Tuesday, 24 February 2015 11:25:35 UTC