On Mon, Feb 23, 2015 at 8:42 PM, Jonas Sicking <jo...@sicking.cc> wrote: > On Mon, Feb 23, 2015 at 11:06 AM, Anne van Kesteren <ann...@annevk.nl> wrote: >> That combined with requiring to list >> the explicit origin has worked well for CORS so far. > > This could potentially help. > > I don't remember the details of how/why people screwed up with > crosssite.xml. But if the problem was that people hosted multiple > services on the same server and only thought of one of them when > writing a policy, then this won't really help very much.
http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/ seems to support that. > Do we have any data on how common it is for people to use CORS with > credentials? My impression is that it's far less common than CORS > without credentials. I don't have data. It seems we don't have telemetry for this in Gecko. Anyone else? I would also suspect that Access-Control-Allow-Origin: * is more common. > If that's the case then I think we'd get most of the functionality, > with essentially none of the risk, by only allowing server-wide > cookie-less preflights. If we only do it for this, could we combine that feature with the existing preflight then? Support a "Access-Control-Allow-Origin-Wide: true" header or some such that's mutually exclusive with "Access-Control-Allow-Credentials: true". -- https://annevankesteren.nl/