Re: [whatwg/fetch] Proposal: Allow servers to take full responsibility for cross-origin access protection (#878) from Pieter Colpaert on 2019-03-08 (public-webapps-github@w3.org from March 2019)

From: Pieter Colpaert <notifications@github.com>
Date: Fri, 08 Mar 2019 09:41:59 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/878/471013790@github.com>

Today servers express a clear wish to opt-out through `Access-Control-Allow-Origin: *`. However, that is not what it strictly means. As evidenced by the recent small change, existing applications will keep breaking when opting out is not expressed in the specification. In the as-is situation, servers need to adapt their opting out walk-around as the spec evolves regardless of their use case.

Instead of having this walk-around servers now implement, we propose that a dedicated mechanism is put in place. This mechanism then becomes part of the living specification, where browser-vendors would be _more cautious_ (never say never) to change anything on this part as it may break these applications.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/878#issuecomment-471013790

Received on Friday, 8 March 2019 17:42:21 UTC