- From: Ruben Verborgh <notifications@github.com>
- Date: Fri, 08 Mar 2019 08:07:27 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/878/470981483@github.com>
> I don't think any solution can be final. That would make stable public APIs and authenticated APIs an impossibility. I think we can do better. > If you invent yet another opt-in, say `Allow-Superpowers-And-I-Really-Mean-It: honestly`, and 5 years later a new capability is released that would create a vulnerability on 5% of those opt-in sites The trick is in letting server operators understand exactly what they are opting in to. I challenge anyone to ask 10 server operators what they are opting in to when they are providing `Access-Control-Allow-Origin: *`. They will likely not now. So this is not about opting in to certain features. It is a matter of saying `Resource-Access-Protection-Responsibility: server` or `Resource-Personalization: none` or `Resource-Authentication-Responsibility: server`. Providing a Web API that you _want_ to be accessible from any Web app, regardless of what happens, seems like a very reasonable requirement. > The CORS change seems bad, but I don't see yet another opt-in making things easier. Another opt-in has the same server-updating problem. So let's not have another opt-in then, but rather something sustainable. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/878#issuecomment-470981483
Received on Friday, 8 March 2019 16:07:48 UTC