- From: Lukasz Anforowicz <notifications@github.com>
- Date: Fri, 07 Dec 2018 14:48:35 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 7 December 2018 22:48:57 UTC
I don't know what "foo.com proxies that request to https://bar.com". If foo.com server trusts bar.com then it can share its data with bar.com (via ftp / http-or-rest / phone calls/etc.). However, because of CORB *the browser* won't share foo.com's data with bar.com. > So I guess ad scripts/tags have set the Access-Control-Origin-Header on their side and therefore are not blocked by Corb or Cors? If an ad script wants to read cross-origin data from foo.com, then *foo.com* (not the ad script) has to agree to giving the data to the ad (by sending back appropriate CORS headers in the http response). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/681#issuecomment-445389453
Received on Friday, 7 December 2018 22:48:57 UTC