W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Allowing any author request header in CORS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 4 May 2013 08:56:41 +0100
Message-ID: <CADnb78gyE6HBZEi4E4wHdzZ3qmL=eh7EwMnHc0B-RREfXHP+Qg@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Sat, May 4, 2013 at 8:45 AM, Vladimir Dzhuvinov
<vladimir@dzhuvinov.com> wrote:
> The other day I received a suggestion to add a special keyword to denote
> any header and to make this the new default policy of the CORS filter
> (allow any author request header). I wish to hear your oppinion guys on
> the security implications of that.

The main thing we require explicit opt-in for is that you might have
special processing associated with certain headers and we do not want
web developers to be able to exploit those or the server developer
having to rewrite his application to make use of CORS. If however
there is no such special processing going, simple allowing all headers
requested per preflight is fine.


--
http://annevankesteren.nl/
Received on Saturday, 4 May 2013 07:57:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC