- From: sleevi <notifications@github.com>
- Date: Thu, 16 Aug 2018 06:24:21 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/787/413543945@github.com>
It is standard in software design, such as APIs, or in secure system design, that once an API contract is made, or an invariant guaranteed, you don’t reverse that. The web’s invariant in the beginning was that there was no cross-origin access to program against. You could only display the content, reflecting the origins of HTML as a display language. The introduction of JavaScript, and the ability to control and manipulate content, necessitated security improvements to preserve that invariant. That was the Same-Origin Policy. As the ability to control and make arbitrary requests was expanded (via XMLHttpRequest), it became even more essential that websites - whether internal or external - should continue to have the invariants and API contracts preserved. I understand you are advocating that we should weaken the security of browsers and expose users to risk, because you feel these decades old security mitigations prevent legitimate use cases. However, since the Web tries very, very hard not to break APIs and invariants - especially when security is on the line - it opted for a different approach, CORS, to allow sites to opt-in. I do not see this changing anytime soon, not without fundamentally redefining the Web’s security assumptions. Every single Web feature would need to be re-evaluated if the SOP was changed as you describe, and there is real cost in doing so, and real harm if even the tiniest mistake is made. Given that alternative solutions exist, energy is better spent in making use of those alternative solutions. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/787#issuecomment-413543945
Received on Thursday, 16 August 2018 13:24:43 UTC