Re: CORS performance

* Anne van Kesteren wrote:
>On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <> wrote:
>> Individual resources should not be able to declare policy for the whole
>> server, ...
>With HSTS we gave up on that.

Well, HSTS essentially removes communication options, while the intent
of CORS is to add communication options. I don't think you can compare
them like that. HSTS is more like a redirect and misconfiguration may
result in denial of service, while CORS misconfiguration can have more
far-reaching consequences like exposing user information.
Björn Höhrmann · ·
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 ·
 Available for hire in Berlin (early 2015)  · 

Received on Tuesday, 17 February 2015 19:44:36 UTC