- From: sleevi <notifications@github.com>
- Date: Thu, 21 Jun 2018 10:41:08 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 21 June 2018 17:41:30 UTC
I'm sure @annevk can chime in more authoritatively, but when I examined the history of this, it's precisely because it allows for third-parties to attempt to brute-force enumerate passwords for other services. As a security mechanism, blacklisting is not viable. It merely serves to prevent new authentication methods from being introduced and tightly couples layers that are best separated. The `Authorization` header also has special treatment by both browsers and servers. Do you have more details about how/why it is a "key tool for cross-site communication"? This may help understand and document more the design space, as this is a security mitigation to protect users and devices. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/770#issuecomment-399186252
Received on Thursday, 21 June 2018 17:41:30 UTC