On Mon 2019-03-25 22:08:30 +0100, Wiktor Kwapisiewicz wrote:
And the wording may be something like: "It is RECOMMENDED that the key
is returned with 'Access-Control-Allow-Origin' HTTP header set to value
'*'".
I think this is potentially dangerous if it is done on the main domain
(e.g. at "example.net", instead of the "advanced" form at
"openpgpkey.example.net"), because the main domain for any given site
might have resources where this CORS header would be inappropriate.
Assuming that the "advanced" domain "openpgp.example.net" is used, and
the document tree published there is limited to WKD, then i agree that
such a CORS statement seems safe, though.
I don't know CORS well enough to know how to properly constrain such a
header, but if we do add guidance, i'd want to make sure it is narrowly
scoped so that an administrator deploying WKD doesn't accidentally open
up the rest of the site's data to external cross-origin requests.
--dkg
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp