W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CORS and Caching (in reverse proxies / CDNs)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 30 Apr 2014 13:47:54 +0100
Message-ID: <CADnb78h6LqeeWaAf3KtN-u8hbTfQQLgUGF2zMNQZ0J54uwvbZw@mail.gmail.com>
To: Nils Goroll <slink@schokola.de>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Apr 28, 2014 at 3:43 PM, Nils Goroll <slink@schokola.de> wrote:
> Please consider the simple case of a web font http://static.do.main/font.woff
> which, for licensing reasons, is to be shared with a set of specific origins
> only, so using 'Access-Control-Allow-Origin: *' is not an option.

It is. You could terminate the request if the Origin request header
was not "correct".

> I'd appreciate pointers if this issue had been discussed before, as I have
> failed to find any previous discussion in the list archives.

If we were to do this at this point we probably have to introduce a
new header or force everyone to sniff user agents for support.
However, there haven't been many requests for it.

Received on Wednesday, 30 April 2014 12:48:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC