- From: Michael Quad <notifications@github.com>
- Date: Sat, 29 Feb 2020 07:53:15 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 29 February 2020 15:53:28 UTC
One clear and reliable method to fix this is: #### Make `mode: no-cors` work as stated - headers are not analyzed - nothing is opaque. You decide: SECURITY or heck it, wild-wild-web. So those, who used `no-cors` are fully responsible for their applciation layer deeds. And if you think about Zombie-browsers abusing this, don't worry, they don't exist (until user machine is compromised). Benefits: - reduced spec size, less senteces to read and to remember - less stupid issues about escaping CORS labyrinth - less bytes wasted on transmitting headers in the web - reduced server logic - etc, bytes saved Is this a good optimization? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/878#issuecomment-592959168
Received on Saturday, 29 February 2020 15:53:28 UTC