> On 9 Jun 2015, at 2:54 pm, Anne van Kesteren <ann...@annevk.nl> wrote: > > On Tue, Jun 9, 2015 at 6:42 AM, Martin Thomson <martin.thom...@gmail.com> > wrote: >> The security properties bother me a little. Alt-Svc is showing us >> that we can't just define a header field like that without some >> serious analysis. > > Same goes for a site-wide file. See crossdomain.xml. However, either > coupled with "credentials mode = omit" seems okayish... Mark, do these > CDN requests mention credentials?
Will look into it. Supporting without credentials (and leaving future extensibility for the possibility) would certainly be a good start. Cheers, -- Mark Nottingham m...@akamai.com https://www.mnot.net/
