- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 08 Mar 2017 07:28:05 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 8 March 2017 15:28:41 UTC
Basically without this any site that uses `Access-Control-Allow-Origin: *` and doesn't use `Vary` for any credentials is vulnerable (assuming the browser in question supports `Vary` adequately for such scenarios to begin with). I don't think that's a responsible setup, especially as we require sites to go to great lengths to expose credentialed data through CORS precisely because such data is so sensitive. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/307#issuecomment-285072092
Received on Wednesday, 8 March 2017 15:28:41 UTC