- From: arturjanc <notifications@github.com>
- Date: Tue, 26 Sep 2023 02:20:21 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 26 September 2023 09:20:26 UTC
One other thought that crossed my mind is that -- from the cookie model perspective -- while we generally want to allow credentialed cross-site CORS requests in the long term (under the conditions mentioned above), we want to reduce the number of situations where these requests are made with the POST method. This is because POST requests can trigger CSRF bugs; ideally, cross-site credentialed POSTs should require a CORS preflight, which means that owners of endpoints that rely on credentialed cross-origin POST requests will need to make these endpoints support preflights (which is likely a non-trivial change). Here, we'll add a new case that sends authenticated cross-site POSTs, which might make locking down this pattern harder. I guess we could presumably exempt FedCM requests from preflight enforcement because they can only be made to URLs allowlisted in the FedCM manifest, but it's something we'll need to consider when we get to this. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1637#issuecomment-1735155445 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1637/1735155445@github.com>
Received on Tuesday, 26 September 2023 09:20:26 UTC