Re: [whatwg/fetch] What would be the downside of respecing `Access-Control-Allow-Origin: *` even when the `Origin` header is not sent? (#680) from Andrew Meyer on 2018-03-07 (public-webapps-github@w3.org from March 2018)

From: Andrew Meyer <notifications@github.com>
Date: Wed, 07 Mar 2018 14:27:17 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/680/371307739@github.com>

> As I understand it, the "data" being referred to here is the "Origin" header

Gah, I'm dumb. The "data" here is obviously referring to site data returned from sites accessed via cross-origin requests, not the Origin header. This part is just explaining why we can't make arbitrary cross-origin sites without credentials without requiring the target sites to send CORS headers.

That solves this question, but raises another one in regards to some decisions made in the HTML spec... time for some more research.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/680#issuecomment-371307739

Received on Wednesday, 7 March 2018 22:27:43 UTC