- From: roryhewitt <notifications@github.com>
- Date: Wed, 23 Mar 2016 11:16:11 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/251/200474201@github.com>
@annevk & @craigfrancis, what about allowing `Access-Control-Allow-Headers: *` even on credentialed requests? I understand that we can't have credentialed requests with `Access-Control-Allow-Origin: *` at least in part because cookies need to be specific to a domain, so if the response includes the _Set-Cookie_ header, we need to know which domain it's going to be created in. But why should this limitation apply to specifying which request headers are allowed? Headers aren't specific to a requesting domain like cookies. Unless I'm missing something security-wise, allowing `Access-Control-Allow-Headers: *` on a credentialed request wouldn't open up any new security holes, would it? All this would do is tell the browser to allow all headers to be sent in the CORS request to the server without being specified individually - it's not a guarantee that the server will actually 'process' them. As far as `Access-Control-Allow-Methods: *` goes, given that the possible set of methods is far more limited, I don't feel strongly about it. It's probably nice to add, simply to have some standardization across all the Access-Control-Allow request headers, but it's not a deal-breaker. @annevk, OK, I will create an issue/PR for each new example. Also, is there any way to get W3C to update the current CORS spec they have to note that they are no longer updating it, and that it's been taken over by WHATWG? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/251#issuecomment-200474201
Received on Wednesday, 23 March 2016 18:16:45 UTC