W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Cookieless cross-origin violation reports.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 6 May 2013 12:57:49 -0700
Message-ID: <CADnb78jst6qcHNKDrphKnGUvBWpb7ca8=GzUzLAMKGn-dBmMrw@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, May 6, 2013 at 11:26 AM, Hill, Brad <bhill@paypal-inc.com> wrote:
> Do you have thoughts or opinions on this, Anne?

I don't really like that we make decisions about what is acceptable on
a case-by-case basis without data/knowledge about what is actually
safe and what is unsafe. I sort of feel that either we should abide by
the boundary set by <form>/CORS or try to rethink that model. Poking
holes without any kind of model strikes me as a bad idea.


--
http://annevankesteren.nl/
Received on Monday, 6 May 2013 19:58:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC