Re: [whatwg/fetch] Proposal: Allow servers to take full responsibility for cross-origin access protection (#878) from Demi Marie Obenour on 2020-11-20 (public-webapps-github@w3.org from November 2020)

From: Demi Marie Obenour <notifications@github.com>
Date: Fri, 20 Nov 2020 13:04:19 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/878/731406246@github.com>

From my perspective, this problem is best stated in terms of invariants: What does WHATWG guarantee will hold in all future versions of the fetch specification, and how can a server signal that they only rely on these guaranteed properties?

One candidate for an invariant is *No origin can access or tamper with the body of a request sent by a different origin without authorization by the sending origin or the user agent.*  If this invariant holds, then any server that ignores request headers will not be affected by future changes to the fetch specification.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/878#issuecomment-731406246

Received on Friday, 20 November 2020 21:04:31 UTC