Re: [fetch] Update Access-Control-Allow-Headers CORS response header to allow * (allow-all) (#251) from roryhewitt on 2016-03-21 (public-webapps-github@w3.org from March 2016)

From: roryhewitt <notifications@github.com>
Date: Sun, 20 Mar 2016 22:36:03 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/251/199135225@github.com>

Hey Anne,

Feetgun (footguns?) are bad, but if a security mechanism is too complex or
difficult to implement, people will continue to use JSONP and its ilk.

We can't protect everyone, but we can protect many, by making CORS simpler
to implement.

FWIW, there are many examples out on the internet (some good, some bad) of
CORS implementations, but there is no 'reference implementation'. Perhaps
that's something that WHATWG could consider providing?

@dveditz <https://github.com/dveditz> @bifurcation
<https://github.com/bifurcation> @freddyb <https://github.com/freddyb>?

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
<https://github.com/whatwg/fetch/issues/251#issuecomment-198239789>


---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/251#issuecomment-199135225

Received on Monday, 21 March 2016 05:36:30 UTC