- From: Mike West <notifications@github.com>
- Date: Tue, 03 Apr 2018 01:06:48 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 3 April 2018 08:07:11 UTC
> Pretty sure Adam Barth tried `Origin` on each request to combat XSRF and it's simply not web compatible. That's why we ended up with the rules for it we have today. If the objection is purely practical, perhaps @abarth could help us recall the challenges he ran into? I'd suggest that CORS is baked-into enough of the web at this point that it might be worth trying again (especially since I think there's at least tentative agreement from Firefox folks to expand `Origin`'s coverage to [include some subset of non-GET/HEAD requests](https://developer.mozilla.org/en-US/Firefox/Experimental_features#Security)). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-378164609
Received on Tuesday, 3 April 2018 08:07:11 UTC