- From: Nicholas Doty <npdoty@w3.org>
- Date: Tue, 29 Jul 2014 17:04:20 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>
- Message-Id: <8F2B4EF7-059D-488C-BDFA-699035A0B9E7@w3.org>
A couple follow-up questions as your helpful replies have lead me to read more mailing list discussions. On July 29, 2014, at 4:11 PM, Jonas Sicking <jonas@sicking.cc> wrote: >> The CORS specification is listed in the References, but doesn't seem to be referred to in the text of the specification. Are user agents intended to follow the CORS cross-origin request model when making a beacon request to a different origin? If so, is preflight required because of the non-simple Beacon-Age header? > > I think CORS is indirectly used by invoking the fetch spec. I guess > that means that we could remove the reference to the CORS spec > entirely. I don't feel strongly. This email suggests you settled on "yes, let's always send credentials" http://lists.w3.org/Archives/Public/public-web-perf/2014Feb/0025.html but the spec suggests that the credentials mode is always "omit". Which was intended here? Omitting credentials would seem to lessen the concern of using Beacon for CSRF attacks. (I admit that the presence of the Origin and Beacon-Age headers should also help with that.) Also, Doug seems to have asked a similar question to what I had about whether preflight is required. As I read it now, it seems like preflight is always required (because Beacon-Age is not on the simple headers list). But your response suggests that preflight would only be required on certain MIME types. Could you clarify? Thanks, Nick
Received on Wednesday, 30 July 2014 00:04:31 UTC