- From: Henri Sivonen <hsivonen@hsivonen.fi>
- Date: Mon, 23 Feb 2015 17:15:39 +0200
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
On Tue, Feb 17, 2015 at 9:31 PM, Brad Hill <hillbrad@gmail.com> wrote: > I think it is at least worth discussing the relative merits of using a > resource published under /.well-known for such use cases, vs. sending > "pinned" headers with every single resource. FWIW, when CORS was designed, the Flash crossdomain.xml design (which uses a well-known URL though not under /.well-known) already existed and CORS deliberately opted for a different design. It's been a while, so I don't recall what the reasons against adopting crossdomain.xml or something very similar to it were, but considering that the crossdomain.xml design was knowingly rejected, it's probably worthwhile to pay attention to why. -- Henri Sivonen hsivonen@hsivonen.fi https://hsivonen.fi/
Received on Monday, 23 February 2015 15:16:02 UTC