- From: Noam Rosenthal <notifications@github.com>
- Date: Tue, 28 Jan 2025 12:13:29 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1806/review/2579320066@github.com>
@noamr commented on this pull request. > + +<p>For any new spec invoking <a for=/>fetch</a> to access cross-origin rersources, CORS should be +the only option. This has been implemented in multiple newer standards such as web fonts and module +scripts. + +<h4 id=fetch-elsewhere-no-cors>No-CORS requests</h4> + +<p>Embedding cross-origin resources, without the ability to read them, existed prior to CORS. +Cross-origin images, scripts, stylesheets & media are embeddable in a <a for=/>document</a> without +the embedding <a for=/>origin</a> identifying themselves and receive explicit confirmation. + +<p>To maintain backwards compatibility, this form of fetching is still supported. Instead of +restricting the network access, the embedder is restricted in what they are allowed to do with the +<a for=/>response</a>. They can embed it in their document and present it to the user, but this has +to be done in a way that's opaque to the embedding origin. Only the user should have access to the +resource, not the embedder. I didn't want to add something that wasn't mentioned at all in the fetch standard. Perhaps we can edit in later? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1806#discussion_r1932800316 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1806/review/2579320066@github.com>
Received on Tuesday, 28 January 2025 20:13:33 UTC