> On 9 Jun 2015, at 2:54 pm, Anne van Kesteren <[email protected]> wrote: > > On Tue, Jun 9, 2015 at 6:42 AM, Martin Thomson <[email protected]> > wrote: >> The security properties bother me a little. Alt-Svc is showing us >> that we can't just define a header field like that without some >> serious analysis. > > Same goes for a site-wide file. See crossdomain.xml. However, either > coupled with "credentials mode = omit" seems okayish... Mark, do these > CDN requests mention credentials?
Will look into it. Supporting without credentials (and leaving future extensibility for the possibility) would certainly be a good start. Cheers, -- Mark Nottingham [email protected] https://www.mnot.net/
