Re: [fetch] Add new Access-Control-Suppress-Headers CORS response header (#253) from roryhewitt on 2016-03-22 (public-webapps-github@w3.org from March 2016)

From: roryhewitt <notifications@github.com>
Date: Tue, 22 Mar 2016 15:12:03 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/253/200054071@github.com>

@sicking, yes, I thought you'd say that :)

I don't want to beat a dead horse here, but:

With all due respect to yourself, Anne, Craig (and any others who have been involved in the 3 issues I have raised recently as well as the development of the CORS standard), I am concerned that you have been lucky enough to have had experiences (within the 'pure tech' world of browser development) that are more 'limited' than mine.

My experience is the opposite - I think it's actually pretty common to have the sort of setup that I described - in fact, it's taken from real life. I'm saying this from many years working with customers in the retail, manufacturing and financial segments, as well as developing software myself. Obviously my experiences may not mirror the wider 'web community' and I hesitate to extrapolate too far, but I'm explicitly **not** coming from the pure tech side. I' have seen different teams develop different areas of the application(s), which are then updated over the years by other teams. Documentation is minimal (if existent at all). Most people understand their own language/team/tool (and may be excellent at it!), but may not have much understanding of the wider scope of things. For instance, they can put together a great Java application to retrieve data from the backend and build a JSON response, but they don't know about more than the basics, since some other software will act
ually de
al with sending that data to the browser.

Additionally, my experience (again!) is that _most_ requests are made with credentials - basically, to pass/retrieve cookies. For instance, retail sites (amongst many others) use **lots** of cookies, and often need to include them with every request. If in doubt, developers will set `xhr.withCredentials = true;` and then go from there (and spend a long time trying to figure out why an ACAO value of * doesn't work).

I agree however, that there are multiple ways round this. I just thought that this was simpler for the end user to understand and implement.

Finally, why do you say that this is this only an issue for requests that include credentials?

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/253#issuecomment-200054071

Received on Tuesday, 22 March 2016 22:12:33 UTC