- From: Jake Archibald <notifications@github.com>
- Date: Fri, 08 Mar 2019 09:42:29 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/878/471013960@github.com>
Let me try and explain: If I said to you "Here is a button, if you press it, it gives me £20 of your money", nothing has changed by default other than the existence of the button. If you press it, I get £20 of your money, but it's fair to say you have opted in to this transaction. If I just took £20 of your money, this was not an opt-in experience for you, because you were not consulted ahead of the transaction. It wasn't optional. If I was going to take £20 of your money unless you pressed a button to prevent me, default behavior has still changed. You haven't opted in to giving me your money. You could say there's an opt-in feature to prevent me getting your money, but because the button reverts things to default, it's more commonly called an opt-out. Similarly, you could frame CORS and your proposal as opt-ins or opt-outs, but they're definitely one of those, and they're the same one. If, for serious security reasons, breaking changes were made CORS, those same reasons would apply to your basically-the-same proposal. If a significant new capability arrived that required an opt-in, users of your proposal wouldn't bypass that opt-in unless it could be proven to be safe. This is basically how CORS started. A new capability (cross-origin XHR) was introduced that was unsafe to enable by default, so an opt-in (CORS) was created. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/878#issuecomment-471013960
Received on Friday, 8 March 2019 17:42:50 UTC