On Tue, Feb 17, 2015 at 8:43 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Anne van Kesteren wrote:
> >On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoermi@gmx.net>
> wrote:
> >> Individual resources should not be able to declare policy for the whole
> >> server, ...
> >
> >With HSTS we gave up on that.
>
> Well, HSTS essentially removes communication options, while the intent
> of CORS is to add communication options. I don't think you can compare
> them like that. HSTS is more like a redirect and misconfiguration may
> result in denial of service, while CORS misconfiguration can have more
> far-reaching consequences like exposing user information.
I share this concern. Note that CSP pinning as we're discussing it is also
purely negative in nature. It can block you from loading resources you'd
otherwise have access to, but can't force your host into exposing resources
you otherwise wouldn't.
Brad's .well-known suggestion is interesting. I'm worried about the latency
impacts, but it's probably worth exploring what it would take to add this
kind of thing to the Manifest spec (or some same-origin-limited version
thereof).
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)