On Sat, 21 May 2011 04:48:15 +0200, Jonas Sicking <[email protected]> wrote:
When we designed CORS we very intentionally did not want to allow "allow *" rules for resources that are loaded with user credentials (most significantly cookies). The reason was that we did not want people to repeat the mistakes that happened when flash's cross-site loading technology was deployed. Many sites added a "allow *" rule to all their resources, thus accidentally leaking all user data to any site that the user visited.
That is not actually true as that would require a second header, Access-Control-Allow-Credentials. I think we should stop banning "*".
-- Anne van Kesteren http://annevankesteren.nl/
