- From: Pieter Colpaert <notifications@github.com>
- Date: Tue, 29 Jan 2019 14:04:19 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 29 January 2019 14:04:42 UTC
Another reason why the currently accepted approach seems wrong to me: There are initiatives to enable CORS on public Web resources. See e.g., https://enable-cors.org/. They currently only advocate for `Access-Control-Allow-Origin: *`. As a result from the update in this spec, they would also start advocating for `Access-Control-Allow-Headers: *`. But what is safer? 1. a server allowing any page to send any header, even if it didn’t pass the preflight test, or 2. a server only allowing a page to send the headers it specifically supports? The only way the the second option would be supported would be by accepting Suggestion 2 and don’t block but alter the HTTP requests based on the preflight response. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/862#issuecomment-458551161
Received on Tuesday, 29 January 2019 14:04:42 UTC