- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 22 Nov 2010 08:43:39 -0500
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On 11/22/10 3:31 AM, Jonas Sicking wrote: > other person: Hmm.. we might want to disable cross-site posting for > forms some day, so is it such a good idea that cors enables it? > me: If we do disable it for forms we'll just disable it for cors too. > So much content will break for forms that the cors breakage won't be > what we're concerned about. > other person: Yeah, true. One _could_ make the argument (which I don't find terribly convincing, btw), that if we require CORS for cross-origin POST in XHR for now then people who want their POST pages accessible via XHR will add the right CORS headers over time, and as more and more stuff is done over a mix of XHR and normal requests most pages that really need to be accessed cross-site will have CORS headers. Then requiring preflights for normal forms won't break as much content. As I said, I'm not convinced that that middle steps of everyone wanting their stuff to be accessible over XHR will necessarily happen... -Boris
Received on Monday, 22 November 2010 13:44:31 UTC