- From: Jonas Sicking <notifications@github.com>
- Date: Wed, 03 Feb 2016 15:53:01 -0800
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Wednesday, 3 February 2016 23:53:32 UTC
Note that the problem is worse than the withCredentials flag. There's currently **three** modes that you can make a cross-origin network request in: * CORS withCredentials=false * CORS withCredentials=true * no-CORS. Aka "request for embedding, not for reading" Most HTML features use the last. For example `<img>`, `<script>` and `<iframe>`. Those APIs ask the server to load the data, but promises not to expose (most of) the returned data to the loader. XHR only uses the first two modes, whereas `<img>` and `<script>` currently supports all three modes. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/76#issuecomment-179537518
Received on Wednesday, 3 February 2016 23:53:32 UTC