Re: [whatwg/fetch] Send "null" Origin headers on cross-origin requests from an RFC7686 address (Issue #1350) from Mike West on 2021-11-10 (public-webapps-github@w3.org from November 2021)

From: Mike West <notifications@github.com>
Date: Wed, 10 Nov 2021 00:23:02 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1350/964887038@github.com>

If I understand the proposal correctly, this would have the effect of disabling meaningful access controls for resources that `.onion` pages wish to access (since any cross-origin response to a CORS-mode request would have to send headers that allowed any opaque origin to access the resource). That seems like a somewhat counterproductive restriction.

A weaker version of this proposal would apply the restriction to no-cors requests, but not to CORS requests (similar conceptually to the [`credentialless`](https://html.spec.whatwg.org/#coep-credentialless) COEP mode). Is that direction worth exploring?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1350#issuecomment-964887038

Received on Wednesday, 10 November 2021 08:23:15 UTC