- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Tue, 17 Feb 2015 20:43:59 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
* Anne van Kesteren wrote: >On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: >> Individual resources should not be able to declare policy for the whole >> server, ... > >With HSTS we gave up on that. Well, HSTS essentially removes communication options, while the intent of CORS is to add communication options. I don't think you can compare them like that. HSTS is more like a redirect and misconfiguration may result in denial of service, while CORS misconfiguration can have more far-reaching consequences like exposing user information. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
Received on Tuesday, 17 February 2015 19:44:36 UTC