- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 28 Jul 2016 16:53:51 +0200
- To: "Mike O'Neill" <michael.oneill@baycloud.com>
- Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Patrick Toomey <patrick.toomey@github.com>, Joel Weinberger <jww@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Thu, Jul 28, 2016 at 4:44 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > OK, but you could extra info in them to check, the whole url if you had to. What does an infinitely variable Origin-Policy response bring to the table, that cannot be done using existing APIs? I'm not sure what you mean here. As I understand it these are the requirements: * Client needs to advertize support * Client needs to advertize what policy it has, if anything * Server needs to advertize support * Server needs to advertize the latest policy There's various ways to accomplish this, tradeoffs have been discussed on this thread. Nothing like this can be done through existing APIs, since it requires infrastructure changes. -- https://annevankesteren.nl/
Received on Thursday, 28 July 2016 14:54:18 UTC