W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CORS and Caching (in reverse proxies / CDNs)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 30 Apr 2014 15:04:33 +0100
Message-ID: <CADnb78gt9F1+_ec7ZoSdb41v3uXXtaHYpT1P1jMpeiyKG7OyTg@mail.gmail.com>
To: Nils Goroll <slink@schokola.de>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Apr 30, 2014 at 2:56 PM, Nils Goroll <slink@schokola.de> wrote:
> On 30/04/14 14:47, Anne van Kesteren wrote:
>> It is. You could terminate the request if the Origin request header
>> was not "correct".
> How should this work with CDNs and downstream caches?

Whether downstream caches have a copy seems like enough of a headache
for developers to not link your font inappropriately. It might
sometimes work, and sometimes not.

>> If we were to do this at this point we probably have to introduce a
>> new header or force everyone to sniff user agents for support.
>> However, there haven't been many requests for it.
> I don't understand how sniffing user-agents relates to this issue.

If we introduce new syntax it would break older clients (they would
not get anything).

Received on Wednesday, 30 April 2014 14:05:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC