- From: roryhewitt <notifications@github.com>
- Date: Thu, 24 Mar 2016 16:01:36 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/251/201065604@github.com>
@sicking, surely curl can also do credentialed requests? It can certainly pass cookies... I think we basically agree on the problem, but I am not convinced that the security risks are either too great or too difficult to document to outweigh the usability benefits. As it is, web developers can do all kinds of stupid things. We can't stop them - all we can do is document the right way to implement CORS. If we restrict new features to non-credentialed requests only, I think they will just find other ways to screw up, trying to implement workarounds. So I tend to think that we should provide comprehensive documentation (examples, scenarios, do's and don'ts) and allow them maximum flexibility, in terms of functionality.. The trouble with trying really hard to avoid a _footgun_, is that you often end up with _no gun_. Which is no good if you're faced with a bear. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/251#issuecomment-201065604
Received on Thursday, 24 March 2016 23:02:16 UTC