W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 17 Feb 2015 20:24:18 +0100
Message-ID: <CADnb78g69ihBbpc+316bNN008ufgza_B9UsD7xFW5m9WNmNksw@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> Individual resources should not be able to declare policy for the whole
> server, ...

With HSTS we gave up on that.

> HTTP/1.1 rather has `OPTIONS *` for that, which would require a
> new kind of "preflight" request. And if the whole server is fine with
> cross-origin requests, I am not sure there is much of a point trying to
> lock it down by restricting request headers or methods.

Yeah, I wasn't sure whether those should all be listed. Maybe simply
declaring you're fluent in CORS in a unique way is sufficient.

Received on Tuesday, 17 February 2015 19:24:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC