W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Henri Sivonen <hsivonen@hsivonen.fi>
Date: Mon, 23 Feb 2015 17:15:39 +0200
Message-ID: <CAJQvAudDhaz-ToRk6an-b1gPUtjkamNygj9G5nXLKZ6T0WEzrg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
On Tue, Feb 17, 2015 at 9:31 PM, Brad Hill <hillbrad@gmail.com> wrote:
> I think it is at least worth discussing the relative merits of using a
> resource published under /.well-known for such use cases, vs. sending
> "pinned" headers with every single resource.

FWIW, when CORS was designed, the Flash crossdomain.xml design (which
uses a well-known URL though not under /.well-known) already existed
and CORS deliberately opted for a different design.

It's been a while, so I don't recall what the reasons against adopting
crossdomain.xml or something very similar to it were, but considering
that the crossdomain.xml design was knowingly rejected, it's probably
worthwhile to pay attention to why.

Henri Sivonen
Received on Monday, 23 February 2015 15:16:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC