Re: CORS performance from Eric Mill on 2015-02-18 (public-webappsec@w3.org from February 2015)

From: Eric Mill <eric@konklone.com>
Date: Tue, 17 Feb 2015 21:13:07 -0500
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
Message-ID: <CANBOYLW0o556YADivqb8LWTgFp7vHS8=yp8M7hdNEdvsH=Sexw@mail.gmail.com>

On Tue, Feb 17, 2015 at 2:43 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Anne van Kesteren wrote:
> >On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoermi@gmx.net>
> wrote:
> >> Individual resources should not be able to declare policy for the whole
> >> server, ...
> >
> >With HSTS we gave up on that.
>
>
FWIW, this dynamic is why you can't set HSTS on an S3 bucket (or a
CloudFront distribution backed by an S3 bucket). Amazon isn't willing to
let you set a HSTS header for a file that might also be served at
s3.amazonaws.com. And so any website backed by S3, even if you never use
the s3.amazonaws.com URLs, is restricted from setting HSTS headers.

-- Eric

-- 
konklone.com | @konklone <https://twitter.com/konklone>

Received on Wednesday, 18 February 2015 02:14:20 UTC