- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sun, 29 Jun 2014 11:53:40 +0200
- To: Mike West <mkwst@google.com>
- Cc: Sid Stamm <sid@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Jun 29, 2014 at 11:42 AM, Mike West <mkwst@google.com> wrote:
> As are `xxx.example.com` and `yyy.example.com`. I'm hard-pressed to think of
> a scenario in which resources from those two origins would be acceptable,
> but resources from `example.com` wouldn't.
Maybe once we have a way to restrict cookies to be same-origin and you
wouldn't want same-origin credentialed fetches for resources that
ought to come from cdn{1-10}.example.com. Of course, having a way to
manipulate request's credentials mode just like you can manipulate
referrer soon might also address that.
It also seems counter-intuitive that the * crosses the dot.
--
http://annevankesteren.nl/
Received on Sunday, 29 June 2014 09:54:07 UTC