Re: [whatwg/fetch] Proposal: CORS means TAO by default (Issue #1414)

@achristensen07 - The monitoring benefits of making CORS imply TAO are that there's a lot of content out there that's CORS enabled but not TAO enabled, and while we could urge developers to also add TAO to it, the odds of success for that aren't great.
At the same time, CORS support already enables attackers to get all that timing information about the resource by other means (by fetching it), so requiring a TAO opt-in on top of CORS seems like it doesn't add any user protections.  

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1414#issuecomment-1072065575
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1414/1072065575@github.com>

Received on Friday, 18 March 2022 06:16:15 UTC