On Mon, Dec 21, 2009 at 5:31 PM, Ian Hickson <[email protected]> wrote: > The most simple cases are also the most common and are by far the cases I > care the most about. The more complicated cases are authored by more > competent authors, and can be more complicated (e.g. they don't have to > use CORS). >
It seems to me that anyone who needs cross-origin resources in the first place, and cannot accept providing *everyone* access to the resource, is most likely already doing something complicated enough that there is a significant chance of vulnerabilities. Non-complicated situations with these requirements seem relatively rare to me. But you would know better.
