Re: [whatwg/fetch] CORS should not be enforced on cross-origin requests where credentials is omit or same-origin (#787) from David Barratt on 2018-08-15 (public-webapps-github@w3.org from August 2018)

From: David Barratt <notifications@github.com>
Date: Wed, 15 Aug 2018 06:16:01 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/787/413193423@github.com>

It wouldn't be the first time the web has changed the status quo without unduly affecting end users.

Let me give an example:
Suppose I want to create an RSS reader web app. It would be impossible to do that, because I'd have to ask every single site owner on the web to correctly implement CORS on their server.

So basically, it's impossible to create an web app like that (even though, it's a perfect use case for a web app).

To your point about same-origin policy... why is it that credential-less cross-origin requests are subject to the same origin policy?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/787#issuecomment-413193423

Received on Wednesday, 15 August 2018 13:16:22 UTC