- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 30 Mar 2020 23:43:42 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 31 March 2020 06:43:56 UTC
@mnot the same-origin policy was put in place to protect user data on servers. When it was put in place it had a number of enshrined "weak points", such as allowing arbitrary GETs without custom request headers. When CORS was put in place the same-origin policy was "weakened" ever so slightly and that has caused a bunch of collateral damage. Overall it was probably good in that it allowed many more interesting things, but we're still fixing the finer details and hearing about security vulnerabilities (both browser and server side). So yeah, proposals to "weaken" the same-origin policy further will continue to have a tough time and have to be balanced somehow. (The same-origin policy being what works if the server does not opt into CORS. CORS is really about opting out of restrictions, not about restricting.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1006#issuecomment-606432639
Received on Tuesday, 31 March 2020 06:43:56 UTC