Re: CORS performance

* Anne van Kesteren wrote:
>With the recent introduction of CSP pinning, I was wondering whether
>something like "CORS pinning" would be feasible. A way for a server to
>declare that it speaks CORS across an entire origin.
>
>The CORS preflight in effect is a rather complicated way for the
>server to announce that it can handle CORS. We made it rather tricky
>to avoid footgun scenarios, but I'm wondering whether that is still
>the right tradeoff.
>
>Something like:
>
>  CORS: max-age=31415926; allow-origin=*; allow-credentials=true;
>allow-headers=*; allow-methods=*; expose-headers=*

Individual resources should not be able to declare policy for the whole
server, HTTP/1.1 rather has `OPTIONS *` for that, which would require a
new kind of "pre-flight" request. And if the whole server is fine with
cross-origin requests, I am not sure there is much of a point trying to
lock it down by restricting request headers or methods. I suppose some-
thing like this could be implemented, but I don't think "CORS pinning"
is quite the right analogy.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 

Received on Tuesday, 17 February 2015 19:19:35 UTC