Re: [whatwg/fetch] CORS should not be enforced on cross-origin requests where credentials is omit or same-origin (#787) from David Barratt on 2018-08-15 (public-webapps-github@w3.org from August 2018)

From: David Barratt <notifications@github.com>
Date: Wed, 15 Aug 2018 10:31:04 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/787/413273154@github.com>

Your argument is that, it's ok to sacrifice user experience, in favor a security issue that is effectively nonexistent. And that a user's web browser (a client application) is responsible for protecting a server on the local network.

And that's fine to argue that, but please let the browsers themselves make their own decision(s) instead of closing my issues.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/787#issuecomment-413273154

Received on Wednesday, 15 August 2018 17:31:25 UTC