On Tue, Jun 17, 2014 at 11:27 PM, Garet Claborn <ga...@approach.im> wrote:
> Some aspects of this proposal could most likely be enhanced and/or
> simplified. There's quite a bit I do not know about the current state
> of discussion in this area. Simply, I hope that we'll eventually have
> a cleaner interface towards securing CORS and automating access across
> networks.

I might be missing something, but I don't see how these secure against
the IIS bug.

We could ignore that bug and put a warning sign in the specification,
as Ian suggested back then. Is there sufficient usage of CORS to add
the complexity? And, are server administrators okay with this being

The most attractive solution would be to do an OPTIONS * fetch of
sorts against a given host. Because basically the entire preflight
thing is a dance to figure out if the server knows about CORS.


Reply via email to