- From: Ruben Verborgh <notifications@github.com>
- Date: Fri, 08 Mar 2019 08:45:19 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/878/470995061@github.com>
> > That would make stable public APIs and authenticated APIs an impossibility. > > I don't think that's true. It is: dozens of Web APIs are running that have followed https://enable-cors.org/ with the intention of working from any Web application. These instructions no longer hold, so those APIs need an update on the HTTP level (= not stable). Furthermore, any such changes can happen in the future, so APIs will have to make adjustments (= not stable). Hence, I conclude that stable public APIs are not a possibility if servers do not have the ability to explicitly take responsibility for cross-origin access protection. > What's your proposal, if not an opt-in? A mechanism by which a server can say "I am taking care of all current and future cross-origin protections for this resource", and/or "this is a non-personalized resource". So not a matter of opting in or out from specific features (which CORS is designed for, and still useful for), but rather deciding who assumes that responsibility. As such, servers accessed from the browser would have the same protections as when accessed from the commandline or a native application. So apps can do nothing from the browser which they wouldn't be able to do through other means anyway. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/878#issuecomment-470995061
Received on Friday, 8 March 2019 16:45:41 UTC