W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2011

[whatwg] CORS requests for image and video elements

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 20 Jun 2011 15:39:18 +0200
Message-ID: <op.vxdmvsc964w2qv@anne-van-kesterens-macbook-pro.local>
On Sat, 21 May 2011 04:48:15 +0200, Jonas Sicking <jonas at sicking.cc> wrote:
> When we designed CORS we very intentionally did not want to allow
> "allow *" rules for resources that are loaded with user credentials
> (most significantly cookies). The reason was that we did not want
> people to repeat the mistakes that happened when flash's cross-site
> loading technology was deployed. Many sites added a "allow *" rule to
> all their resources, thus accidentally leaking all user data to any
> site that the user visited.

That is not actually true as that would require a second header,  
Access-Control-Allow-Credentials. I think we should stop banning "*".

Anne van Kesteren
Received on Monday, 20 June 2011 06:39:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC