Re: [whatwg/fetch] Proposal: Allow servers to take full responsibility for cross-origin access protection (#878)

If the browser adds a new network capability, the responsibility of the server has changed without them being notified. If this results in a site's users being compromised, it's the browser's fault, because it was their change that broke things for users.

This is why we wouldn't introduce the new capability without an opt-in.

On one hand you say:

> Getting all affected Web servers updated is expensive and will likely take several years, and there is no guarantee that such an update will not be obsoleted again. It is unsure whether troubled servers will be updated timely or at all

Then on the other:

> The server needs to update.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/878#issuecomment-471006768

Received on Friday, 8 March 2019 17:20:37 UTC