- From: Anne van Kesteren <annevk@opera.com>
- Date: Sat, 18 Jun 2011 10:01:07 +0200
On Sat, 18 Jun 2011 00:31:42 +0200, Ian Hickson <ian at hixie.ch> wrote: > The reason we _didn't_ send credentials by default for <img> was that > most cross-origin images are going to be static, and it would be a huge > pain > for the server to have to do per-connection work to determine the HTTP > headers each time. With EventSource, that's a non-issue, since the server > is going to have to do lots of much heavier per-connection work anyway. I think we should change CORS to allow * for credentialed requests. People have already asked for that. That would also allow dropping the crossorigin="" attribute which complicates the request model for the elements it is applicable to a lot. (Too much, in my opinion.) (I designed CORS in such a way it could be used for <img> and such without the need to introduce new syntax.) -- Anne van Kesteren http://annevankesteren.nl/
Received on Saturday, 18 June 2011 01:01:07 UTC