Re: [fetch] RFC: a mechanism to bypass CORS preflight (#210)

I don't really think that a "I really know what I'm doing" flag is going to make a difference. It's just as easy to copy/paste. And the problem isn't really that people don't know what they are doing, it's how easy it is to do the wrong thing vs. how hard it is to do the right thing. In this case just setting the flag (the wrong thing), is dramatically easier than doing the right thing (auditing all your URL handlers perfectly).

I'm a bigger believer in enabling developers to opt in on a per-url or per-directory basis. That way developers at least have to tools to only enable credentials for the URLs that they are sure can handle it.

I'll comment regarding w3ctag/spec-reviews#76 over there.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/210#issuecomment-179526429

Received on Wednesday, 3 February 2016 23:23:30 UTC