- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 21 Apr 2017 07:35:36 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 21 April 2017 14:36:28 UTC
The "concern" is again the private intranet not expecting a request from a browser (or the system it's built on) that includes such a header and therefore doing something unexpected. (Again, it's not really a "concern" or necessarily a "threat", it's just figuring out where the boundaries are. We restrict what `fetch()` without credentials and without CORS can do, for instance, and I'd like to explore to what extent those restrictions are artificial, grounded in reality, etc. So far it seems we're just not very principled about cross-origin requests and if you happen to get something to the point of shipping and nothing breaks it's fine without anyone really understanding where the line is.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/530#issuecomment-296208025
Received on Friday, 21 April 2017 14:36:28 UTC