- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 3 Aug 2018 10:10:43 -0700
- To: "Miel Vander Sande (UGent-imec)" <Miel.VanderSande@ugent.be>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "Ruben Verborgh (UGent-imec)" <Ruben.Verborgh@ugent.be>, Herbert Van de Sompel <hvdsomp@gmail.com>
There are no planned revisions of the "CORS" spec. CORS is now incorporated as part of the Fetch spec, which continues to evolve. The mail from two years ago references a Fetch spec issue and that seems like the appropriate place to discuss this. I think Ruben went wrong trying to argue all Accept-* headers are safe. The CORS approach has been "This has never been allowed in the past and servers aren't defending against it--we're only going to poke holes for things we can prove are harmless". He should have made a case for his specific protocol's set of headers, or pursued the "Safe-*" header option Anne suggested. Though that, of course, would require the Memento protocol changing it's headers. -Dan Veditz
Received on Friday, 3 August 2018 17:11:28 UTC