- From: Ziyad Parekh <notifications@github.com>
- Date: Fri, 07 Dec 2018 14:41:44 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 7 December 2018 22:42:06 UTC
To the first point, if a browser running on https://foo.com is making a cross origin request to https://bar.com, (and `bar.com` doesn't have acces-control-origin-allow: * headers) that request, would be blocked by cors and subsequently by corb if the response is of type json/html (right?). If https://foo.com makes a request to https://foo.com/api/resource, and foo.com proxies that request to https://bar.com, sending the response back, cors and corb would not block the response (right?) making the response available to read by third party javascript? So I guess ad scripts/tags have set the Access-Control-Origin-Header on their side and therefore are not blocked by Corb or Cors? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/681#issuecomment-445388142
Received on Friday, 7 December 2018 22:42:06 UTC