- From: Noam Rosenthal <notifications@github.com>
- Date: Tue, 28 Jan 2025 12:12:43 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1806/review/2579318512@github.com>
@noamr commented on this pull request. > + +<h4 id=fetch-elsewhere-no-cors>No-CORS requests</h4> + +<p>Embedding cross-origin resources, without the ability to read them, existed prior to CORS. +Cross-origin images, scripts, stylesheets & media are embeddable in a <a for=/>document</a> without +the embedding <a for=/>origin</a> identifying themselves and receive explicit confirmation. + +<p>To maintain backwards compatibility, this form of fetching is still supported. Instead of +restricting the network access, the embedder is restricted in what they are allowed to do with the +<a for=/>response</a>. They can embed it in their document and present it to the user, but this has +to be done in a way that's opaque to the embedding origin. Only the user should have access to the +resource, not the embedder. + +<p>This mechanism of fetching should not be used in new specs. However, specs should be written with +the notion that no-CORS resources exists, and the new spec should not grant origins the ability to +read their contents. This means that no-cors is legacy, and new specs should rely on cors for cross-origin resources. I can try to reword this somehow -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1806#discussion_r1932799478 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1806/review/2579318512@github.com>
Received on Tuesday, 28 January 2025 20:12:47 UTC