Fetch discussion on CORS for reporting requests from Emily Stark on 2017-07-22 (public-webappsec@w3.org from July 2017)

From: Emily Stark <estark@google.com>
Date: Sat, 22 Jul 2017 12:01:36 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPP_2Sb18ukug86mjxZHWNa1bukb-qA7hr-WNQFCiG=Fx_gfpQ@mail.gmail.com>

I wanted to draw attention to a discussion we're having on Fetch about the
fact that certain requests are de facto exempted from sending CORS
preflights: https://github.com/whatwg/fetch/issues/567

The gist of it is that various specs include various types of "special"
requests without CORS preflights, even though they are triggered by web
content, to a URL controlled by web content, and are not safe/simple
requests. (CSP reports, HPKP reports, OCSP requests, etc.)

Realistically, browsers aren't going to start preflighting these requests
anytime soon, for various reasons including compatibility, layering
considerations, and implementation challenges. So we figure we might as
well document the exceptions in Fetch rather than try to coerce these
strange requests into CORS.

If you have any opinions, please share them on the bug. Thanks!

Received on Saturday, 22 July 2017 10:02:19 UTC