Re: CORS performance proposal

> On 9 Jun 2015, at 2:54 pm, Anne van Kesteren <annevk@annevk.nl> wrote:
> 
> On Tue, Jun 9, 2015 at 6:42 AM, Martin Thomson <martin.thomson@gmail.com> wrote:
>> The security properties bother me a little.  Alt-Svc is showing us
>> that we can't just define a header field like that without some
>> serious analysis.
> 
> Same goes for a site-wide file. See crossdomain.xml. However, either
> coupled with "credentials mode = omit" seems okayish... Mark, do these
> CDN requests mention credentials?

Will look into it. Supporting without credentials (and leaving future extensibility for the possibility) would certainly be a good start.

Cheers,


--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/

Received on Tuesday, 9 June 2015 05:18:44 UTC