- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 29 Jan 2019 04:43:25 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 29 January 2019 12:43:46 UTC
The idea is that if the server consents to CORS it's supposed to mitigate any concerns with requests itself. Until it consents to CORS the browser should do its best to protect the server. I'll grant you that there's a bit of a mismatch due to the granularity CORS provides and I'm not sure we'd design it the same way if we could start with the web from scratch. It might perhaps be worth calling this out more somehow. (Note that for bad escaping CORS also blocks a fair number of bytes in values to mitigate those concerns somewhat.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/862#issuecomment-458526121
Received on Tuesday, 29 January 2019 12:43:46 UTC