Re: [fetch] RFC: a mechanism to bypass CORS preflight (#210) from Jonas Sicking on 2016-02-04 (public-webapps-github@w3.org from February 2016)

From: Jonas Sicking <notifications@github.com>
Date: Wed, 03 Feb 2016 17:16:58 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/210/179561072@github.com>

To be clear, what I mean by "per-directory" is "per directory including subdirectories". So that would let you opt in for the whole origin using "/".

That said, there's still a lot of problems to solve.

* I don't *believe* (though happy to be proven wrong) that it's reasonable to add additional requests for already existing usage patterns. So we can't make existing APIs like XHR/`<img>`/etc make additional requests to `/.well-known/whatever` before at least making the initial request to the desired URL. Especially on http/1.1 servers. Probably on failure we could try to make requests to `/.well-known/...` though.

* The reason we didn't add per-directory policies originally was because some servers had very weird URL handling. Allowing `/A/something` to be fetched using `/B/<stuff here>/A/something`. I specifically think this affected Microsoft's IIS. Do we have reason to believe that no such server software exists today? Or at least that server admins that run those servers know about this quirk and wouldn't use the per-directory policies?

* I'm still not convinced that it's worth creating a server-side API for dealing with the withCredentials problem. I feel pretty confident that by far most CORS requests don't use cookies (and are safer because of it). The ones that need cookies have a solution, though it requires client-side changes. This doesn't seem different than that the request headers that UAs send by default is enough for most developers. And for ones that need other headers set need to use APIs which accept additional information in addition to the URL. (I've heard more requests for enabling custom headers and verbs in `<img>`, than requests for getting rid of .withCredentials).

* On the topic of .withCredentials, the privacy problem I [mention on www-tag](https://lists.w3.org/Archives/Public/www-tag/2016Feb/0007.html) still exists. I don't know how we make a decision there.

All that said, I'm happy to look at a proposal if someone puts one together.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/210#issuecomment-179561072

Received on Thursday, 4 February 2016 01:17:33 UTC