On Mon, Feb 23, 2015 at 7:55 PM, Jonas Sicking <jo...@sicking.cc> wrote:
> A lot websites accidentally enabled cross-origin requests with
> cookies. Not realizing that that enabled attackers to make requests
> that had side-effects as well as read personal user data without user
> permission.
> In short, it was very easy to misconfigure a server, and people did.
> This is why I would feel dramatically more comfortable if we only
> enabled server-wide opt-in for credential-less requests. Those are
> many orders of magnitude easier to make secure.

Why is that not served by requiring an additional header that
explicitly opts into that case? That combined with requiring to list
the explicit origin has worked well for CORS so far.


Reply via email to