W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: CORS performance proposal

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 8 Jun 2015 21:42:53 -0700
Message-ID: <CABkgnnWD58a60dPE8WCpNXs7XOftpohaPgnnruJraaQWGCJa+w@mail.gmail.com>
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On 8 June 2015 at 21:30, Nottingham, Mark <mnotting@akamai.com> wrote:
> A header denoting site-wide metadata would work for this too, of course, if folks were comfortable with the security properties of doing that (as well as the potential response overhead).


The security properties bother me a little.  Alt-Svc is showing us
that we can't just define a header field like that without some
serious analysis.
Received on Tuesday, 9 June 2015 04:43:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC