W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2018

Re: CORS restrictions on preflight (too) strict?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 3 Aug 2018 10:10:43 -0700
Message-ID: <CADYDTCCVtMbksuY7S+THZ31HXAQ5H2=TTcAhkf8HY_EX7Lc_2A@mail.gmail.com>
To: "Miel Vander Sande (UGent-imec)" <Miel.VanderSande@ugent.be>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "Ruben Verborgh (UGent-imec)" <Ruben.Verborgh@ugent.be>, Herbert Van de Sompel <hvdsomp@gmail.com>
There are no planned revisions of the "CORS" spec. CORS is now
incorporated as part of the Fetch spec, which continues to evolve. The
mail from two years ago references a Fetch spec issue and that seems
like the appropriate place to discuss this.

I think Ruben went wrong trying to argue all Accept-* headers are
safe. The CORS approach has been "This has never been allowed in the
past and servers aren't defending against it--we're only going to poke
holes for things we can prove are harmless". He should have made a
case for his specific protocol's set of headers, or pursued the
"Safe-*" header option Anne suggested. Though that, of course, would
require the Memento protocol changing it's headers.

-Dan Veditz
Received on Friday, 3 August 2018 17:11:28 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 August 2018 17:11:29 UTC