Re: CORS performance

On Mon, Feb 23, 2015 at 8:42 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Mon, Feb 23, 2015 at 11:06 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> That combined with requiring to list
>> the explicit origin has worked well for CORS so far.
>
> This could potentially help.
>
> I don't remember the details of how/why people screwed up with
> crosssite.xml. But if the problem was that people hosted multiple
> services on the same server and only thought of one of them when
> writing a policy, then this won't really help very much.

http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/
seems to support that.


> Do we have any data on how common it is for people to use CORS with
> credentials? My impression is that it's far less common than CORS
> without credentials.

I don't have data. It seems we don't have telemetry for this in Gecko.
Anyone else? I would also suspect that Access-Control-Allow-Origin: *
is more common.


> If that's the case then I think we'd get most of the functionality,
> with essentially none of the risk, by only allowing server-wide
> cookie-less preflights.

If we only do it for this, could we combine that feature with the
existing preflight then? Support a "Access-Control-Allow-Origin-Wide:
true" header or some such that's mutually exclusive with
"Access-Control-Allow-Credentials: true".


-- 
https://annevankesteren.nl/

Received on Tuesday, 24 February 2015 11:25:35 UTC