- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 20 Feb 2015 10:05:13 +0100
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On Thu, Feb 19, 2015 at 9:22 PM, Jonas Sicking <jonas@sicking.cc> wrote: > Would this be allowed for both requests with credentials and requests > without credentials? The security implications of the two are very > different. Yes, but the latter requires the Access-Control-Allow-Credentials header to be included in the response. An alternative is that we attempt to introduce Access-Control-Policy-Path again from 2008. The problems you raised https://lists.w3.org/Archives/Public/public-appformats/2008May/0037.html seem surmountable. URL parsing is defined in more detail these days and we could simply ban URLs containing escaped \ and /. -- https://annevankesteren.nl/
Received on Friday, 20 February 2015 09:05:37 UTC