Seems like we should be able to make A->A use a single connection whether credentialed or not.
-
-
There are tons of ways to do that even if separate connections. But if that's the threat, what is the solution that eliminates C?
-
The most obvious one is to exempt same origin request from the rule. A->A should share a connection even if mixed anon/credentialed
-
To be honest, I have not been able to get people to be very crisp about the risks here. Security people at browsers aren't talkative.
-
I'm pretty sure if we enumerated the risks that all browsers agree are the reasons for the spec, we could find better solutions.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.