W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance proposal

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 20 Feb 2015 08:01:58 +1100
Message-ID: <CABkgnnVaYuEcBhe6_yp+Lnu84h_myOeFoC5M2oT9OS8p+VhXyw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On 20 February 2015 at 00:29, Anne van Kesteren <annevk@annevk.nl> wrote:
>   Access-Control-Allow-Origin-Wide-Cache: [origin]

This has some pretty implications for server deployments that host
mutual distrustful applications.  Now, these servers are already
pretty well hosed from other directions, but I don't believe that
there is any pre-existing case where a header field set in a request
to /x could affect future requests to /y.

An alternative would be to use /.well-known for site wide policies.
Received on Thursday, 19 February 2015 21:02:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC