* Anne van Kesteren wrote: >On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoe...@gmx.net> wrote: >> Individual resources should not be able to declare policy for the whole >> server, ... > >With HSTS we gave up on that.
Well, HSTS essentially removes communication options, while the intent of CORS is to add communication options. I don't think you can compare them like that. HSTS is more like a redirect and misconfiguration may result in denial of service, while CORS misconfiguration can have more far-reaching consequences like exposing user information. -- Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
