- From: Emily Stark <notifications@github.com>
- Date: Wed, 19 Jul 2017 05:48:39 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 19 July 2017 13:28:07 UTC
Related issues: https://github.com/whatwg/fetch/issues/530 https://github.com/bifurcation/expect-ct/issues/18 https://github.com/WICG/reporting/issues/41 https://github.com/httpwg/http-extensions/issues/356 (Feel free to close this if you feel it's duplicative with any of those issues.) Various specs include various types of "special" requests without CORS preflights, even though they are triggered by web content, to a URL controlled by web content, and are not safe/simple requests. Many of the examples (CSP, Reporting API, HPKP) are reporting requests, but not all (OCSP). In Expect-CT, the spec lets the UA decide whether a preflight is needed and doesn't take a position on it. In some cases, like CSP, the lack of preflights is basically a bug, but realistically I doubt we'd be able to require preflights any time soon because of compatibility reasons. In other cases, like OCSP, it doesn't seem likely that implementations will ever want to preflight because of layering reasons. Should Fetch handle these requests in some way? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/567
Received on Wednesday, 19 July 2017 13:28:07 UTC