W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance proposal

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 19 Feb 2015 23:39:12 +0100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
Message-ID: <q8pcea1r2d3v4u5sdofd5plqnam358mhai@hive.bjoern.hoehrmann.de>
* Martin Thomson wrote:
>On 20 February 2015 at 00:29, Anne van Kesteren <annevk@annevk.nl> wrote:
>>   Access-Control-Allow-Origin-Wide-Cache: [origin]
>This has some pretty implications for server deployments that host
>mutual distrustful applications.  Now, these servers are already
>pretty well hosed from other directions, but I don't believe that
>there is any pre-existing case where a header field set in a request
>to /x could affect future requests to /y.
>An alternative would be to use /.well-known for site wide policies.

The proposal is to use `OPTIONS * HTTP/1.1` not `OPTIONS /x HTTP/1.1`.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
Received on Thursday, 19 February 2015 22:39:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC