- From: Patrick Meenan <notifications@github.com>
- Date: Tue, 28 Apr 2026 09:50:53 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 28 April 2026 16:50:57 UTC
pmeenan left a comment (whatwg/fetch#1839) I'm giving up on the opaque response path but I was wondering if it would be worth exploring ways to opt-in to uncredentialed cors for things like cross-origin `<script>` tags. The two possibilities that come to mind: 1 - Per-request, response header like `Crossorigin: Anonymous` that is stored with the response in cache and when the resource expires and is re-validated, it is done as an uncredentialed request (which can then `Access-Control-Allow-Origin: *`). 2 - Per-origin HSTS-like opt-in where an entire origin can be marked as cookieless and opted in to uncredentialed cors instead of no-cors. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1839#issuecomment-4337351951 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1839/4337351951@github.com>
Received on Tuesday, 28 April 2026 16:50:57 UTC