Re: [whatwg/fetch] Listing headers safe only for certain values is a bad idea (#313) from Jonas Sicking on 2016-09-09 (public-webapps-github@w3.org from September 2016)

From: Jonas Sicking <notifications@github.com>
Date: Thu, 08 Sep 2016 19:39:58 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/313/245802694@github.com>

> CORS preflight has impact only for developers with much curiosity

CORS preflight has impact for all server authors since it protects them from receiving requests that could cause harmful side-effects on the server.

Without CORS preflight it is very possible that if you visit my website, that I could send a request to your bank asking the bank to transfer a bunch of money from your bank account to mine.

This would be possible without the bank having any server-side CORS logic. In fact, it would be possible because the bank has no server-side CORS logic. We can't expect all websites to suddenly be aware of CORS.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/313#issuecomment-245802694

Received on Friday, 9 September 2016 02:40:29 UTC