- From: David Barratt <notifications@github.com>
- Date: Thu, 16 Aug 2018 06:16:32 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 16 August 2018 13:16:53 UTC
That's the discussion we are having, the default behavior is that access is _restricted_ and you have to _allow_ it with CORS. I'm arguing that the default behavior ought to be _allowing_ the non-credentialed request, unless CORS has put a restrictions on that request. Or to put it another way: CORS would be used to _allow_ credentialed requests or _restrict_ non-credentialed requests. If you've set `Access-Control-Allow-Origin` to a fixed value of `example.com` then the change I'm proposing would not affect your site because I would not be allowed to access your domain, I would be _restricted_ by CORS. So while it's _currently_ not used as a restriction, there's nothing stopping it from being used this way. Reversing the behavior would mean that non-credentialed public resources would become available to a web app, and that intranet sites would be responsible for their own security (as they ought to be). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/787#issuecomment-413541755
Received on Thursday, 16 August 2018 13:16:53 UTC