- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 4 May 2013 08:56:41 +0100
- To: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Sat, May 4, 2013 at 8:45 AM, Vladimir Dzhuvinov <vladimir@dzhuvinov.com> wrote: > The other day I received a suggestion to add a special keyword to denote > any header and to make this the new default policy of the CORS filter > (allow any author request header). I wish to hear your oppinion guys on > the security implications of that. The main thing we require explicit opt-in for is that you might have special processing associated with certain headers and we do not want web developers to be able to exploit those or the server developer having to rewrite his application to make use of CORS. If however there is no such special processing going, simple allowing all headers requested per preflight is fine. -- http://annevankesteren.nl/
Received on Saturday, 4 May 2013 07:57:08 UTC