Re: CORS restrictions on preflight (too) strict?

There are no planned revisions of the "CORS" spec. CORS is now
incorporated as part of the Fetch spec, which continues to evolve. The
mail from two years ago references a Fetch spec issue and that seems
like the appropriate place to discuss this.

I think Ruben went wrong trying to argue all Accept-* headers are
safe. The CORS approach has been "This has never been allowed in the
past and servers aren't defending against it--we're only going to poke
holes for things we can prove are harmless". He should have made a
case for his specific protocol's set of headers, or pursued the
"Safe-*" header option Anne suggested. Though that, of course, would
require the Memento protocol changing it's headers.

-Dan Veditz

Received on Friday, 3 August 2018 17:11:28 UTC