- From: Dominic Farolino <notifications@github.com>
- Date: Wed, 29 Jan 2025 18:33:58 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1806/review/2582792641@github.com>
@domfarolino commented on this pull request. > + +<h4 id=fetch-elsewhere-no-cors>No-CORS requests</h4> + +<p>Embedding cross-origin resources, without the ability to read them, existed prior to CORS. +Cross-origin images, scripts, stylesheets & media are embeddable in a <a for=/>document</a> without +the embedding <a for=/>origin</a> identifying themselves and receive explicit confirmation. + +<p>To maintain backwards compatibility, this form of fetching is still supported. Instead of +restricting the network access, the embedder is restricted in what they are allowed to do with the +<a for=/>response</a>. They can embed it in their document and present it to the user, but this has +to be done in a way that's opaque to the embedding origin. Only the user should have access to the +resource, not the embedder. + +<p>This mechanism of fetching should not be used in new specs. However, specs should be written with +the notion that no-CORS resources exists, and the new spec should not grant origins the ability to +read their contents. Yep this is good, it summarizes the task that we kinda had to do in FLEDGE when it was using `no-cors`... basically it was "fine use no-cors if you absolutely must, but then we have to do the extra work of making sure we're definitely not exposing anything to script you can't already get access to"... -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1806#discussion_r1934929846 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1806/review/2582792641@github.com>
Received on Thursday, 30 January 2025 02:34:02 UTC