Re: Improving CORS security

On Fri, May 12, 2017 at 10:20 AM, James Kettle <
> wrote:

> I think this would need to support credentials for anyone to use it. I
> agree that trusting all subdomains isn't really a great idea, but it's a
> common use case and if you enforced a rule like '* must be followed by .'
> you could help out the many sites making Zomato's mistake of trusting
> literally everything that ends in, including

​Wildcards in CSP directives have this requirement (apart from​ standalone
"*"). Completely reasonable.

Maybe mixed content was a poor choice of terminology. I think this
> suggestion might have been misunderstood slightly. I'm suggesting that an
> application that specifies ACAO: true and ACAO: <some HTTP origin> should
> have the ACAC flag ignored. I don't see how this will making upgrading
> sites to HTTPS harder, since as Anne said the standard approach is to
> upgrade CDNs first and the application afterward, and it's only
> applications that care about allowing credentials.

​Does Google have any telemetry on how often http->https XHR/fetch
explicitly request credentials? Mozilla mixed-content telemetry ignores
insecure documents so we don't have any.

​Dan VEditz​

Received on Friday, 12 May 2017 18:19:41 UTC