Re: [fetch] Update Access-Control-Allow-Headers CORS response header to allow * (allow-all) (#251) from Jonas Sicking on 2016-03-24 (public-webapps-github@w3.org from March 2016)

From: Jonas Sicking <notifications@github.com>
Date: Thu, 24 Mar 2016 16:14:04 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/251/201068741@github.com>

Yes, curl can pass credentials. But only the credentials of the person invoking curl. If website A makes a CORS-with-credentials request to website B, then it's the users cookies to website B that are sent. That is something that the webdeveloper of website A can't accomplish with curl.

It's pretty clear that we're not in a "no gun" situation here. All we're talking about here are APIs for making things that are already possible easier. I.e. these proposals are just grease for existing guns.

I feel like we're just going in circles at this point. Unless new information is presented I will stay silent.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/251#issuecomment-201068741

Received on Thursday, 24 March 2016 23:14:39 UTC