On Tue, Feb 24, 2015 at 3:25 AM, Anne van Kesteren <ann...@annevk.nl> wrote: >> If that's the case then I think we'd get most of the functionality, >> with essentially none of the risk, by only allowing server-wide >> cookie-less preflights. > > If we only do it for this, could we combine that feature with the > existing preflight then? Support a "Access-Control-Allow-Origin-Wide: > true" header or some such that's mutually exclusive with > "Access-Control-Allow-Credentials: true".
I don't have opinions on this. / Jonas