W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

CORS and null

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 2 Jun 2014 10:55:16 +0200
Message-ID: <CADnb78hJBNt4GNm5ZXd=3sDRcL_0mUTF3ra9DgfN3K2Z4C_HRg@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Maciej Stachowiak <mjs@apple.com>, Travis Leithead <Travis.Leithead@microsoft.com>
Allowing

  Access-Control-Allow-Origin: null
  Access-Control-Allow-Credentials: true

is effectively equivalent to allowing

  Access-Control-Allow-Origin: *
  Access-Control-Allow-Credentials: true

given sandboxing. Given that we do not allow the latter, should we
start banning the former?


-- 
http://annevankesteren.nl/
Received on Monday, 2 June 2014 08:55:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC