- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 20 Feb 2015 08:14:46 +0100
- To: "henry.story@bblfish.net" <henry.story@bblfish.net>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Feb 19, 2015 at 11:17 PM, henry.story@bblfish.net <henry.story@bblfish.net> wrote: > 1) requests that do not require authentication > q1: why is the origin sent at all? And why are there still restictions? > q2: why does POSTing a url encoded form not require pre-flight? But why does POSTing other data do? > > 2) On requests that do need authentication: > q3: Why are the pre-flight requests needed at all? Authentication is not the important bit. The important bits are 1) protecting content behind a firewall and 2) fetches possible without CORS. > But why can't it be the client? After all the user could > decide to give more rights to some JS apps than to others, and that would work too. No, nobody thus far has presented credible UX for that. > I am not saying that these questions don't have answers. It is just that they > would help a developer understand why CORS has taken the shape it has, and so > understanding the reaons for the decisions taken, better be able to think about it. https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup has some of it. I guess I could add a background section with the bits above more explicitly, it's just that they follow naturally from the same-origin policy... -- https://annevankesteren.nl/
Received on Friday, 20 February 2015 07:15:10 UTC