- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 1 Jul 2017 07:17:07 -0700
- To: Patrick McManus <mcmanus@ducksong.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Emily Stark <estark@google.com>, httpbis <ietf-http-wg@w3.org>
On Sat, Jun 10, 2017 at 2:19 AM, Patrick McManus <mcmanus@ducksong.com> wrote: > second, cors clearly makes some distinction between UA content and > content-content.. request headers for example. The notion being that the UA > can effectively make at least some decisions about what will botch things up > compared to what arbitrary JS might do. There is some of that (Last-Event-ID from EventSource comes to mind, not sure there is anything else really), but generally this is no longer true and I think we should try not to go there. Deciding on a case-by-case basis when it's okay to violate the same-origin policy seems rather dangerous, especially as we don't seem to have a set of guidelines to make those kind of decisions. -- https://annevankesteren.nl/
Received on Saturday, 1 July 2017 14:17:36 UTC