-
-
I slapped https://mikewest.github.io/cors-rfc1918/ together this morning. WDYT,
@BRIAN_____@justinschuh@fugueish@ericlaw@frgx@imelven@sleevi_@dveditz? -
@mikewest@BRIAN_____@justinschuh@fugueish@ericlaw CORS doesn't prevent simple CSRF since req. Is made. Still want opt-in on top -
@dveditz: The proposal would force a preflight, which is the opt-in.@BRIAN_____@justinschuh@fugueish@ericlaw -
@mikewest@dveditz@BRIAN_____@fugueish@ericlaw I fear an enterprise holocaust with this version. Will give better feedback in a few days -
@justinschuh: Ok. I suspect that's not going to be unique to this approach, but I'm curious! :)@dveditz@BRIAN_____@fugueish@ericlaw -
@mikewest@dveditz@BRIAN_____@fugueish@ericlaw Best bet to mostly protect enterprises is making a safe compat option that's dead simple -
@justinschuh: I don’t see how you square that with requiring opt-in, which I think we must do.@dveditz@BRIAN_____@fugueish@ericlaw -
@mikewest@dveditz@BRIAN_____@fugueish@ericlaw Adding a new CORS Allow directive, rather than piggybacking on existing directives - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.