W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: <henry.story@bblfish.net>
Date: Thu, 19 Feb 2015 22:29:43 +0100
Cc: WebAppSec WG <public-webappsec@w3.org>, public-webapps public-webapps <public-webapps@w3.org>
Message-Id: <B0A6F1A3-DF47-4392-97B4-5AEEE0CA906E@bblfish.net>
To: Martin Thomson <martin.thomson@gmail.com>

> On 19 Feb 2015, at 22:04, Martin Thomson <martin.thomson@gmail.com> wrote:
> On 18 February 2015 at 06:31, Brad Hill <hillbrad@gmail.com> wrote:
>> Some of the things that argue against /.well-known are:
>> 1) Added latency of fetching the resource.
> It's not available everywhere yet, but you could push it, based on the below.
>> 2) Clients hammering servers for non-existent /.well-known resources (the
>> favicon issue)
> You could avoid that by Link:-ing to the /.well-known and only hitting
> it if the link appears.

I assume you mean the Link: header. In that case I like the idea.

Well the client could even cache the document and only hit it once for the whole
server. Furthermore there would then be no need for the url to be in a .well-known
location. It could be any resource whatsoever. 

That is the way that the "Web Access Control" system functions. See link from 
this page


Every resource has a link to those resources that require access.
Aslo see the curl examples 


Social Web Architect
Received on Thursday, 19 February 2015 21:30:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC