Re: [whatwg/fetch] CORS readability for no-cors requests (Issue #1839) from Anne van Kesteren on 2025-11-12 (public-webapps-github@w3.org from November 2025)

From: Anne van Kesteren <notifications@github.com>
Date: Tue, 11 Nov 2025 19:14:25 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1839/3519705697@github.com>

annevk left a comment (whatwg/fetch#1839)

Even for responses that are CORS-readable today we try to limit the amount of information that is exposed (see https://github.com/w3c/resource-timing/issues/381 for instance) to avoid exposing more information to cross-origin scripts.

So making more responses CORS-readable without even opt-in from the website would go counter towards that goal. Perhaps if the scope of the readability is limited it could be reasonable.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1839#issuecomment-3519705697
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1839/3519705697@github.com>

Received on Wednesday, 12 November 2025 03:14:29 UTC