- From: Dave Longley <notifications@github.com>
- Date: Tue, 20 Sep 2022 14:35:02 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 20 September 2022 21:35:16 UTC
> Given that we have to reveal the origin, the simplest would be to always include it for "cors" requests... Shouldn't there be some way of sending a request (at least a non-same-origin request, including non-HEAD/GET methods) without an `origin` header, without making the response opaque, and without sending any credentials, in order to enable more privacy-preserving web applications? If the target server allows any origin (`Access-Control-Allow-Origin: *`) is there still a security danger in that case? My understanding is that web apps have to implement HTTP proxies in these cases in order to get to parity with native apps. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1022#issuecomment-1252939447 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1022/1252939447@github.com>
Received on Tuesday, 20 September 2022 21:35:16 UTC