yoavweiss
commented
5 years ago This sounds highly related to https://github.com/w3c/resource-timing/issues/178 and not necessarily Server Timing specific. Is that correct?
Closed youennf closed 5 years ago
yoavweiss
commented
5 years ago This sounds highly related to https://github.com/w3c/resource-timing/issues/178 and not necessarily Server Timing specific. Is that correct?
youennf
commented
5 years ago Oh right, it should be a resource-timing issue not a server timing one. Let's close this one then.
ACAO does not allow credentials to be used for value '*'. There is no similar constraint for TAO. The Origin header might not always be set in a given request so this makes it harder to always provide a specific information for TAO in the response.
That said, servers using '' might be at bigger risk, say in case of no-cors/credential loads. Should '' use be forbidden in case of credentials? Should there be wording in the spec discouraging to use '*'?