- From: David Barratt <notifications@github.com>
- Date: Wed, 15 Aug 2018 06:33:34 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 15 August 2018 13:33:56 UTC
The way this could be implemented without breaking backwards-comparability is, if a request is cross-origin, credential-less, then do the preflight request (like normal) if the response does not have any `Access-Control` headers, then the request is _implicitly_ allowed. Likewise, on the _actual_ request, the headers are checked again to ensure there are no `Access-Control` headers are present. If they are present, the normal CORS / same-origin policy applies. This way, existing sites that utilize CORS correctly can continue to do so, and sites that have no implemented CORS do not have to in order for their public resources to be accessible. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/787#issuecomment-413198672
Received on Wednesday, 15 August 2018 13:33:56 UTC