W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Eric Mill <eric@konklone.com>
Date: Tue, 17 Feb 2015 21:13:07 -0500
Message-ID: <CANBOYLW0o556YADivqb8LWTgFp7vHS8=yp8M7hdNEdvsH=Sexw@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
On Tue, Feb 17, 2015 at 2:43 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Anne van Kesteren wrote:
> >On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoermi@gmx.net>
> wrote:
> >> Individual resources should not be able to declare policy for the whole
> >> server, ...
> >
> >With HSTS we gave up on that.
FWIW, this dynamic is why you can't set HSTS on an S3 bucket (or a
CloudFront distribution backed by an S3 bucket). Amazon isn't willing to
let you set a HSTS header for a file that might also be served at
s3.amazonaws.com. And so any website backed by S3, even if you never use
the s3.amazonaws.com URLs, is restricted from setting HSTS headers.

-- Eric

konklone.com | @konklone <https://twitter.com/konklone>
Received on Wednesday, 18 February 2015 02:14:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC