Re: [whatwg/fetch] CORS-safelisted request-headers and Client Hints (#1006) from Anne van Kesteren on 2020-03-31 (public-webapps-github@w3.org from March 2020)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 30 Mar 2020 23:43:42 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1006/606432639@github.com>

@mnot the same-origin policy was put in place to protect user data on servers. When it was put in place it had a number of enshrined "weak points", such as allowing arbitrary GETs without custom request headers. When CORS was put in place the same-origin policy was "weakened" ever so slightly and that has caused a bunch of collateral damage. Overall it was probably good in that it allowed many more interesting things, but we're still fixing the finer details and hearing about security vulnerabilities (both browser and server side). So yeah, proposals to "weaken" the same-origin policy further will continue to have a tough time and have to be balanced somehow.

(The same-origin policy being what works if the server does not opt into CORS. CORS is really about opting out of restrictions, not about restricting.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1006#issuecomment-606432639

Received on Tuesday, 31 March 2020 06:43:56 UTC