On Thu, Feb 19, 2015 at 9:22 PM, Jonas Sicking <jo...@sicking.cc> wrote:
> Would this be allowed for both requests with credentials and requests
> without credentials? The security implications of the two are very
> different.

Yes, but the latter requires the Access-Control-Allow-Credentials
header to be included in the response.

An alternative is that we attempt to introduce
Access-Control-Policy-Path again from 2008. The problems you raised
seem surmountable. URL parsing is defined in more detail these days
and we could simply ban URLs containing escaped \ and /.


Reply via email to