On Mon, Jun 20, 2011 at 6:39 AM, Anne van Kesteren <[email protected]> wrote: > On Sat, 21 May 2011 04:48:15 +0200, Jonas Sicking <[email protected]> wrote: >> >> When we designed CORS we very intentionally did not want to allow >> "allow *" rules for resources that are loaded with user credentials >> (most significantly cookies). The reason was that we did not want >> people to repeat the mistakes that happened when flash's cross-site >> loading technology was deployed. Many sites added a "allow *" rule to >> all their resources, thus accidentally leaking all user data to any >> site that the user visited. > > That is not actually true as that would require a second header, > Access-Control-Allow-Credentials. I think we should stop banning "*".
It's still very easy to add those two static headers and thus expose your whole site to attack (most servers allow adding headers on a per-subtree basis). I also don't see a reason to allow it as so far I haven't heard of anyone having problems due to the lack of ability to use *-rules in combination with cookies. So I'm strongly against allowing this. / Jonas
