W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: CORS performance proposal

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 9 Jun 2015 06:54:04 +0200
Message-ID: <CADnb78gp5Y9CnHbQWWwXWxYWn_sDfsyJkimZYaEUAaizmpDbzQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "Nottingham, Mark" <mnotting@akamai.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On Tue, Jun 9, 2015 at 6:42 AM, Martin Thomson <martin.thomson@gmail.com> wrote:
> The security properties bother me a little.  Alt-Svc is showing us
> that we can't just define a header field like that without some
> serious analysis.

Same goes for a site-wide file. See crossdomain.xml. However, either
coupled with "credentials mode = omit" seems okayish... Mark, do these
CDN requests mention credentials?


-- 
https://annevankesteren.nl/
Received on Tuesday, 9 June 2015 04:54:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC