W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 24 Feb 2015 10:33:32 -0800
Message-ID: <CA+c2ei-QiEp5Wu6XMSSp91hz_bthbsiH2-bv3ocVE_UFaZ_Z5Q@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Dale Harvey <dale@arandomurl.com>
On Tue, Feb 24, 2015 at 3:25 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> If that's the case then I think we'd get most of the functionality,
>> with essentially none of the risk, by only allowing server-wide
>> cookie-less preflights.
> If we only do it for this, could we combine that feature with the
> existing preflight then? Support a "Access-Control-Allow-Origin-Wide:
> true" header or some such that's mutually exclusive with
> "Access-Control-Allow-Credentials: true".

I don't have opinions on this.

/ Jonas
Received on Tuesday, 24 February 2015 18:34:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC