Not sure why you've cc'd our vulnerability reporting address; did you
mean dev-security@lists.mozilla.org instead?
On 8/26/2013 2:10 PM, Peter Bengtsson wrote:
> So, when you know that your URL does not potentially trigger any
> sensitive changes without the user being explicitly aware of it, then * it.
>
> I like the simplicity of that.CORS: * is always safe for a public site, or at least as safe as your application is for users of pre-CORS browsers. (maybe not so great for intranet sites.)
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
