Re: CORS restrictions on preflight (too) strict? from Daniel Veditz on 2018-08-04 (public-webappsec@w3.org from August 2018)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 3 Aug 2018 17:14:30 -0700
To: "Ruben Verborgh (UGent-imec)" <Ruben.Verborgh@ugent.be>
Cc: "Miel Vander Sande (UGent-imec)" <Miel.VanderSande@ugent.be>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Herbert Van de Sompel <hvdsomp@gmail.com>
Message-ID: <CADYDTCAiym9LYaEHZg5Zwzk-5Xof0=Q=zP4vg=jhJof=cyGk7Q@mail.gmail.com>

On Fri, Aug 3, 2018 at 4:21 PM, Ruben Verborgh (UGent-imec)
<Ruben.Verborgh@ugent.be> wrote:
>> I think Ruben went wrong trying to argue all Accept-* headers are safe.
>
> I still haven't been proven wrong, but I get your point.

Yeah I'm not judging the merits, just noting it made the issue bigger
and added friction.

-Dan Veditz

Received on Saturday, 4 August 2018 00:15:13 UTC