- From: Ruben Verborgh <notifications@github.com>
- Date: Fri, 08 Mar 2019 18:57:27 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/878/471037451@github.com>
> @RubenVerborgh Do you feel that I've accurately captured some of the tension in perspective? Unfortunately not. > there are two points - one which is a suggestion that existing functionality should not have changed I did not make that point and I do not agree with that point. So for the sake of argument, I will explicitly state it here: It is good that CORS has changed. It protects those servers that only wanted to selectively disable some cross-origin protections, which is what the CORS headers provide. > another suggesting there should be a guarantee not only that existing functionality won't change I did not make that point and I do not agree with that point. So for the sake of argument, I will explicitly state it here: I think CORS functionality should keep on changing to protected those servers that only want to selectively disable some cross-origin protections. > The problem with a default opt-out is that it cannot be safely reasoned about I am not arguing for a default. > because at the time the opt-out was made, the information wasn't available. There's no way the developer could have made a (truly) informed choice Why not? If I know that my resources are public and not personalized, what is not informed about my choice to say, I will take responsibility for cross-origin requests? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/878#issuecomment-471037451
Received on Friday, 8 March 2019 18:57:49 UTC