Re: [whatwg/fetch] RFC: a mechanism to bypass CORS preflight (#210)

> Start with just allowing for announcing that the origin understands CORS and therefore it's safe to omit preflight

Presumably this is simply to do and therefore it's also quite dangerous if the requests include credentials. We could e.g., add a "cors" token to HSTS that simply persists capability for the same time HTTPS is persisted. However, that does mean that all resources on the origin need to be capable of handling the diverse range of inputs.

The problem is with deciding what protection we are comfortable doing away with on the request side of the same-origin policy for an entire origin and how much such a decision needs to be protected from configuration copy-and-paste. Initially with CORS we decided that a whole lot of attention to detail was needed for that. It seems we're now leaning towards "just make it so".

@dveditz @rlbmoz thoughts?

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/210#issuecomment-233588495

Received on Tuesday, 19 July 2016 10:10:32 UTC