Hi - > [...] > I think it will allow public web clients to exfiltrate debuginfo data > from debuginfod servers on private intranets. Previously, the > cross-origin restrictions on web content would have prevented that.
Yes, this is the flip side of the CORS default coin. ISTM the convenience is a larger benefit than this risk. Users that disagree can do the reverse-proxy header-filtering to defeat it. 'course we can also be more noncomittal and make it a command line option. - FChE
