- From: Ruben Verborgh <notifications@github.com>
- Date: Thu, 31 Jan 2019 07:29:07 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 31 January 2019 15:29:28 UTC
Some servers want to completely opt out of CORS protection, as evidenced by https://enable-cors.org/. This is a common use case. Unfortunately, the there described way of opting out has recently been broken due to tightened security, as discussed in https://github.com/whatwg/fetch/issues/862. Client applications stopped working, and the solution was at the server side. So https://enable-cors.org/ needs to be extended, and servers have to been reconfigured. To make matter worse, security can be tightened again at any point in the future, which will again break apps, and force new server-side changes. I therefore propose the introduction of a `Disable-CORS-Protection: true` header, which is a future-proof way of opting out of any CORS protection. Servers who do not require any protection (think open data), or servers who have their own protection mechanisms (various forms of auth) might want to prefer that option to work indefinitely. Servers with other needs can still resort to more granular CORS headers. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/865
Received on Thursday, 31 January 2019 15:29:28 UTC