canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Reviews/CrossOriginEventSource: Difference between revisions
Security/Reviews/CrossOriginEventSource (view source)
Revision as of 19:25, 4 January 2012
, 4 January 2012no edit summary
No edit summary |
|||
| Line 42: | Line 42: | ||
Hence we should default to not sending cookies and enable the ability to opt-in to cookies. If other implementations go other ways we can reevaluate this decision at a later point. | Hence we should default to not sending cookies and enable the ability to opt-in to cookies. If other implementations go other ways we can reevaluate this decision at a later point. | ||
To mitigate the risk of misunderstanding what it means to opt in to CORS (i.e. that you're opting in to more than just cross-site EventSource) we should make sure to make it clear in documentation that enabling CORS on a stream exposes the full contents of the stream to the loading site. While we could attempt to mitigate it through technical means, the added complexity likely adds further risks of misunderstandings. | To mitigate the risk of misunderstanding what it means to opt in to CORS (i.e. that you're opting in to more than just cross-site EventSource) we should make sure to make it clear in documentation that enabling CORS on a stream exposes the full contents of the stream to the loading site. While we could attempt to mitigate it through technical means, the added complexity likely adds further risks of misunderstandings. | ||
[[Category:SecReview|CrossOriginEventSource]] | |||