On Thu, 17 Dec 2009 22:24:56 +0100, Mark S. Miller <[email protected]>
wrote:
Despite the costs of doing preflight opt-in on a per-resource basis
rather
than a per-origin basis, to meet its security goals, CORS proposes to do
preflight on a per-resource basis. I have seen the rationale for this
stated
in bits and pieces. Can anyone point me at a reasonably self contained
statement for why we need preflight on a per-resource rather than a
per-origin basis? If there's nothing adequate to point at, could someone
state a reasonably self contained rationale for this? Thanks.
We are concerned that a per-origin model would not be implemented
correctly. In addition it would be somewhat of a pain in case of different
services maintained by different parties hosted on a single origin which
we expect to be reasonably common.
--
Anne van Kesteren
http://annevankesteren.nl/
