- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 9 Jan 2014 13:19:46 +0000
- To: Mike West <mkwst@google.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Michal Zalewski <lcamtuf@coredump.cx>, Devdatta Akhawe <dev.akhawe@gmail.com>, Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Frederik Braun <fbraun@mozilla.com>
On Thu, Jan 9, 2014 at 8:16 AM, Mike West <mkwst@google.com> wrote: > Relying on CORS assumes that any sensitive data that should be available > cross-origin would have appropriate headers applied to any response. It's more complicated as you need to vary the CORS headers based on the request ("*" no longer works), but that is typically the case for sensitive data already. -- http://annevankesteren.nl/
Received on Thursday, 9 January 2014 13:20:13 UTC