[whatwg] CORS requests for image and video elements

Jonas Sicking jonas at sicking.cc
Mon Jun 20 12:25:25 PDT 2011


On Mon, Jun 20, 2011 at 6:39 AM, Anne van Kesteren <annevk at opera.com> wrote:
> On Sat, 21 May 2011 04:48:15 +0200, Jonas Sicking <jonas at sicking.cc> wrote:
>>
>> When we designed CORS we very intentionally did not want to allow
>> "allow *" rules for resources that are loaded with user credentials
>> (most significantly cookies). The reason was that we did not want
>> people to repeat the mistakes that happened when flash's cross-site
>> loading technology was deployed. Many sites added a "allow *" rule to
>> all their resources, thus accidentally leaking all user data to any
>> site that the user visited.
>
> That is not actually true as that would require a second header,
> Access-Control-Allow-Credentials. I think we should stop banning "*".

It's still very easy to add those two static headers and thus expose
your whole site to attack (most servers allow adding headers on a
per-subtree basis).

I also don't see a reason to allow it as so far I haven't heard of
anyone having problems due to the lack of ability to use *-rules in
combination with cookies.

So I'm strongly against allowing this.

/ Jonas



More information about the whatwg mailing list