W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 24 Feb 2015 12:25:03 +0100
Message-ID: <CADnb78hG4EUPsdgUZdj5jJ7+Qe6jeBmGw3Ez6HyF7p=UXsiOKg@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Dale Harvey <dale@arandomurl.com>
On Mon, Feb 23, 2015 at 8:42 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Mon, Feb 23, 2015 at 11:06 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> That combined with requiring to list
>> the explicit origin has worked well for CORS so far.
> This could potentially help.
> I don't remember the details of how/why people screwed up with
> crosssite.xml. But if the problem was that people hosted multiple
> services on the same server and only thought of one of them when
> writing a policy, then this won't really help very much.

seems to support that.

> Do we have any data on how common it is for people to use CORS with
> credentials? My impression is that it's far less common than CORS
> without credentials.

I don't have data. It seems we don't have telemetry for this in Gecko.
Anyone else? I would also suspect that Access-Control-Allow-Origin: *
is more common.

> If that's the case then I think we'd get most of the functionality,
> with essentially none of the risk, by only allowing server-wide
> cookie-less preflights.

If we only do it for this, could we combine that feature with the
existing preflight then? Support a "Access-Control-Allow-Origin-Wide:
true" header or some such that's mutually exclusive with
"Access-Control-Allow-Credentials: true".

Received on Tuesday, 24 February 2015 11:25:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC