- From: Takeshi Yoshino <notifications@github.com>
- Date: Thu, 08 Sep 2016 02:50:56 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/313/245548915@github.com>
There's no lecture about the original issue for which the preflight mechanism was introduced around the `Access-Control-Allow-Headers` definition in the Fetch Standard, yet, IIUC. Even if there is such educating texts, basically the CORS preflight has impact only for developers with much curiosity and carefulness so that they think more about the purpose of the mechanism and what they should do, I think. I'm not sure if this kind of "heads up" has been so effective. If we stand the position that this has been not effective, we shouldn't complicate it anymore as it's useless. If we stand the position that this has been effective, we could say either: 1. let's address new attack vectors at web browser 1. people has been well educated for 8 years. now they're responsible for fixing issues by themselves (1) will results in banning almost all all kind of cross-site XHR/Fetch and require explitict permission by preflight for everything while sacrificing the cost of extra RTT. My gut feeling is that we should take the position (2) to share the cost for fighting with attacks between browser vendors and service developers, and make the world with less latency. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/313#issuecomment-245548915
Received on Thursday, 8 September 2016 09:51:39 UTC