Confirmed users
716
edits
Security/Reviews/CrossOriginEventSource: Difference between revisions
Jump to navigation
Jump to search
Security/Reviews/CrossOriginEventSource (view source)
Revision as of 22:29, 12 July 2011
, 12 July 2011→Threats
(Created page with "= Security Review Pre-Work = We already have support for Server Sent DOM Events. This was done in {{bug|338583}} and security review happened in [[Security/Reviews/Firefox6/Revie...") |
|||
| Line 20: | Line 20: | ||
* Can't opt in to sharing private data with "the world" without using custom server-side scripting which echos back the "Origin" header in the "Access-Control-Allow-Origin" header. | * Can't opt in to sharing private data with "the world" without using custom server-side scripting which echos back the "Origin" header in the "Access-Control-Allow-Origin" header. | ||
* Sharing private data requires setting two explicit headers: "Access-Control-Allow-Origin" and "Access-Control-Allow-Credentials". | * Sharing private data requires setting two explicit headers: "Access-Control-Allow-Origin" and "Access-Control-Allow-Credentials". | ||
Additionally, we're reusing the same code as used for cross-site XMLHttpRequest, cross-site @font-face, CORS-based <img>. | |||
= Topics To Discuss During The Review = | = Topics To Discuss During The Review = | ||