On Tue, Feb 17, 2015 at 9:31 PM, Brad Hill <hillb...@gmail.com> wrote:
> I think it is at least worth discussing the relative merits of using a
> resource published under /.well-known for such use cases, vs. sending
> "pinned" headers with every single resource.

FWIW, when CORS was designed, the Flash crossdomain.xml design (which
uses a well-known URL though not under /.well-known) already existed
and CORS deliberately opted for a different design.

It's been a while, so I don't recall what the reasons against adopting
crossdomain.xml or something very similar to it were, but considering
that the crossdomain.xml design was knowingly rejected, it's probably
worthwhile to pay attention to why.

Henri Sivonen

Reply via email to