On Tue, Feb 17, 2015 at 8:43 PM, Bjoern Hoehrmann <derhoe...@gmx.net> wrote:
> * Anne van Kesteren wrote: > >On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoe...@gmx.net> > wrote: > >> Individual resources should not be able to declare policy for the whole > >> server, ... > > > >With HSTS we gave up on that. > > Well, HSTS essentially removes communication options, while the intent > of CORS is to add communication options. I don't think you can compare > them like that. HSTS is more like a redirect and misconfiguration may > result in denial of service, while CORS misconfiguration can have more > far-reaching consequences like exposing user information. I share this concern. Note that CSP pinning as we're discussing it is also purely negative in nature. It can block you from loading resources you'd otherwise have access to, but can't force your host into exposing resources you otherwise wouldn't. Brad's .well-known suggestion is interesting. I'm worried about the latency impacts, but it's probably worth exploring what it would take to add this kind of thing to the Manifest spec (or some same-origin-limited version thereof). -mike -- Mike West <mk...@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)