Re: CORS and null from Mike West on 2014-06-03 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 3 Jun 2014 11:07:33 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Maciej Stachowiak <mjs@apple.com>, Travis Leithead <Travis.Leithead@microsoft.com>
Message-ID: <CAKXHy=duW0Wa6ui2Cw7x-M-fCJ_EVWYEQ6ZLG+FUcJj5iM7iLw@mail.gmail.com>

Indeed. Which means it's even lower-impact than I thought. :)

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Jun 3, 2014 at 11:01 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jun 3, 2014 at 10:54 AM, Mike West <mkwst@google.com> wrote:
> > It has the impact that sandboxed frames can't make XHR requests to CORS
> > enabled resources, which is potentially problematic in the cases where
> you'd
> > like to sandbox off a portion of your application that processes data.
>
> Only to CORS-enabled credentialed resources. CORS in general would
> remain working.
>
>
> --
> http://annevankesteren.nl/
>

Received on Tuesday, 3 June 2014 09:08:22 UTC