Re: [whatwg/fetch] Same-Origin policy and CORS should not be enforced on cross-origin requests where credentials is omit or same-origin (#787) from David Barratt on 2018-08-15 (public-webapps-github@w3.org from August 2018)

From: David Barratt <notifications@github.com>
Date: Wed, 15 Aug 2018 06:33:34 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/787/413198672@github.com>

The way this could be implemented without breaking backwards-comparability is, if a request is cross-origin, credential-less, then do the preflight request (like normal) if the response does not have any `Access-Control` headers, then the request is _implicitly_ allowed. Likewise, on the _actual_ request, the headers are checked again to ensure there are no `Access-Control` headers are present. If they are present, the normal CORS / same-origin policy applies. This way, existing sites that utilize CORS correctly can continue to do so, and sites that have no implemented CORS do not have to in order for their public resources to be accessible. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/787#issuecomment-413198672

Received on Wednesday, 15 August 2018 13:33:56 UTC