On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoe...@gmx.net> wrote:
> Individual resources should not be able to declare policy for the whole
> server, ...

With HSTS we gave up on that.

> HTTP/1.1 rather has `OPTIONS *` for that, which would require a
> new kind of "preflight" request. And if the whole server is fine with
> cross-origin requests, I am not sure there is much of a point trying to
> lock it down by restricting request headers or methods.

Yeah, I wasn't sure whether those should all be listed. Maybe simply
declaring you're fluent in CORS in a unique way is sufficient.


Reply via email to