- From: jub0bs <notifications@github.com>
- Date: Wed, 26 Oct 2022 00:28:57 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 26 October 2022 07:29:10 UTC
Thanks for your reply, Anne. > Can you be certain the endpoint pays attention to `Sec-Fetch-Mode`? Indeed, I cannot make such an assumption. > letting `POST` through some-of-the-time might not give you the protection you think it does. True, it wouldn't protect me from CSRF. All it would do is prevent the attacker from reading the response to a `cors` request. I'm not sure this "feature" is worth the headache... > Having said that, this seems like a question that's better posed on Stack Overflow. This repository is aimed squarely at improving the Fetch standard. Incidentally, the issue was prompted by [a post on Stack Overflow](https://stackoverflow.com/questions/74057378/enable-cors-just-for-get-requests-in-asp-net-6), which put my understanding of best practices regarding CORS middleware into question. But yes, apologies about that; I needed the opinion of CORS experts. I'll refrain from asking questions of this kind here in the future. Anyway, your reply has confirmed my intuition that this idea isn't worth pursuing. Thanks! -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1517#issuecomment-1291614207 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1517/1291614207@github.com>
Received on Wednesday, 26 October 2022 07:29:10 UTC