@mikewest I like and agree with @justinschuh's suggestion in the issue he raised.
-
-
Replying to @frgx
@mikewest also, I think this is far more likely to succeed if preflight wasn't mandatory.@justinschuh3 replies 0 retweets 0 likes -
Replying to @frgx
@frgx@justinschuh: Also, the mandatory preflight is the whole point. I don’t think we can do without it.1 reply 0 retweets 0 likes -
Replying to @mikewest
@mikewest do you have examples of vulns that have actually occurred just because of the ability to make a request?@justinschuh2 replies 0 retweets 0 likes -
Replying to @frgx
@mikewest CORS is so confusing and painful that developers use --disable-web-security. Preflight doubly so@justinschuh1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx: That's an argument for better tooling, not for `--disable-web-security`, which I'm working on neutering.@justinschuh1 reply 0 retweets 0 likes -
Replying to @mikewest
@mikewest@frgx@justinschuh Every server must defend against CSRF. If servers defend against CSRF then most/all of this is unneeded, right?2 replies 0 retweets 1 like -
Replying to @BRIAN_____
@BRIAN_____: Yes. Empirically, that seems prove to be a bad assumption. It's only going to get worse with unupdatable IoT@frgx@justinschuh2 replies 0 retweets 0 likes -
-
Replying to @BRIAN_____
@BRIAN_____: That devices targeted to intranet deployment effectively defend against CSRF.@frgx@justinschuh1 reply 0 retweets 0 likes
@mikewest @frgx @justinschuh I said it is their responsibility to do so. I didn't say they actually fulfill their responsibility.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.