- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 20 Jun 2011 12:25:25 -0700
On Mon, Jun 20, 2011 at 6:39 AM, Anne van Kesteren <annevk at opera.com> wrote: > On Sat, 21 May 2011 04:48:15 +0200, Jonas Sicking <jonas at sicking.cc> wrote: >> >> When we designed CORS we very intentionally did not want to allow >> "allow *" rules for resources that are loaded with user credentials >> (most significantly cookies). The reason was that we did not want >> people to repeat the mistakes that happened when flash's cross-site >> loading technology was deployed. Many sites added a "allow *" rule to >> all their resources, thus accidentally leaking all user data to any >> site that the user visited. > > That is not actually true as that would require a second header, > Access-Control-Allow-Credentials. I think we should stop banning "*". It's still very easy to add those two static headers and thus expose your whole site to attack (most servers allow adding headers on a per-subtree basis). I also don't see a reason to allow it as so far I haven't heard of anyone having problems due to the lack of ability to use *-rules in combination with cookies. So I'm strongly against allowing this. / Jonas
Received on Monday, 20 June 2011 12:25:25 UTC