Not sure why you've cc'd our vulnerability reporting address; did you mean dev-security@lists.mozilla.org instead? On 8/26/2013 2:10 PM, Peter Bengtsson wrote: > So, when you know that your URL does not potentially trigger any > sensitive changes without the user being explicitly aware of it, then * it. > > I like the simplicity of that.
CORS: * is always safe for a public site, or at least as safe as your application is for users of pre-CORS browsers. (maybe not so great for intranet sites.)
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security