Re: Request for input on Foreign Fetch

On 28 January 2016 at 06:08, Anne van Kesteren <annevk@annevk.nl> wrote:
> I meant the latter. We would not issue an OPTIONS fetch. CORS OPTIONS
> is a check to see if the server is CORS-aware. Here the service worker
> obviously is aware of cross-origin fetches.

Ack, thanks.  That leaves the question of ambient authority and I
think for that you already have your answer and you just aren't happy
with it :)

Namely, opting in to foreign fetch for a given path prefix (or scope)
is an implicit acceptance of the use of ambient authority for all
those intercepted requests.  Suppressing credentials and reducing
visibility would be the responsibility of the SW using explicit
controls, not the browser using implicit inference.

Ultimately, I think that's a nice outcome.

Can then we reduce this problem to one of developer education?

Received on Thursday, 28 January 2016 04:16:12 UTC