Re: [fetch] Update Access-Control-Allow-Headers CORS response header to allow * (allow-all) (#251) from Jonas Sicking on 2016-03-23 (public-webapps-github@w3.org from March 2016)

From: Jonas Sicking <notifications@github.com>
Date: Wed, 23 Mar 2016 11:52:08 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/251/200492955@github.com>

To clarify. I think `Access-Control-Allow-Headers: *` for requests without credentials is quite fine. That's generally no different than what can be done from non-browser clients anyway.

I think `Access-Control-Allow-Headers: *` in requests with credentials is quite risky and will likely lead to security problems.

> My concern is that if we don't allow Access-Control-Allow-Headers: * on a credentialed request, then this will significantly restrict some really useful new functionality.

I don't think this is an accurate characterization. All functionality is already there. What we're debating here is making certain things **easier**.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/251#issuecomment-200492955

Received on Wednesday, 23 March 2016 18:52:35 UTC