- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 20 Jun 2011 15:39:18 +0200
On Sat, 21 May 2011 04:48:15 +0200, Jonas Sicking <jonas at sicking.cc> wrote: > When we designed CORS we very intentionally did not want to allow > "allow *" rules for resources that are loaded with user credentials > (most significantly cookies). The reason was that we did not want > people to repeat the mistakes that happened when flash's cross-site > loading technology was deployed. Many sites added a "allow *" rule to > all their resources, thus accidentally leaking all user data to any > site that the user visited. That is not actually true as that would require a second header, Access-Control-Allow-Credentials. I think we should stop banning "*". -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 20 June 2011 06:39:18 UTC