- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 20 May 2011 19:48:15 -0700
On Fri, May 20, 2011 at 10:46 AM, Gregg Tavares (wrk) <gman at google.com> wrote: > How about updating the CORS spec so that a server can send a > ? ?Access-Control-Allow-Origin: * > header even when not specifically requested and the browser can then > allow those resource to be used cross-origin where otherwise they > wouldn't > This would mean sites like picasa and flickr could just add that > static string to their headers and things would just work, no HTML > or JS changes required, no having to tag images with cross-origin > unless you're dealing with a really strict server that actually wants > to check credentials. When we designed CORS we very intentionally did not want to allow "allow *" rules for resources that are loaded with user credentials (most significantly cookies). The reason was that we did not want people to repeat the mistakes that happened when flash's cross-site loading technology was deployed. Many sites added a "allow *" rule to all their resources, thus accidentally leaking all user data to any site that the user visited. So to fix this in CORS, we only allow "allow *" rules for requests loaded without user credentials. However <img> elements by default make requests with user credentials. Changing that, even for just cross-site loads, would likely break the web. / Jonas
Received on Friday, 20 May 2011 19:48:15 UTC