Re: [whatwg/fetch] Tests do not always require Origin header when mode is "cors" (#871) from James Bromwell on 2019-08-13 (public-webapps-github@w3.org from August 2019)

From: James Bromwell <notifications@github.com>
Date: Tue, 13 Aug 2019 03:08:44 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/871/520774538@github.com>

Has there been any movement on this?  If you're looking to CORS-enable an application, all the documentation you find online -- as well as a number of libraries that handle it for you -- say that you should base your response on the Origin request header.  If a bunch of browsers are now sending CORS requests with no Origin, how am I supposed to figure out the value to send for ACAO?  I can parse it out of the Referer, assuming that's set, but is it a good long-term solution?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/871#issuecomment-520774538

Received on Tuesday, 13 August 2019 10:09:07 UTC