Not sure why you've cc'd our vulnerability reporting address; did you mean [email protected] instead? On 8/26/2013 2:10 PM, Peter Bengtsson wrote: > So, when you know that your URL does not potentially trigger any > sensitive changes without the user being explicitly aware of it, then * it. > > I like the simplicity of that.
CORS: * is always safe for a public site, or at least as safe as your application is for users of pre-CORS browsers. (maybe not so great for intranet sites.)
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
