Anne van Kesteren
annevk at annevk.nl
Tue Apr 9 09:27:14 PDT 2013
On Tue, Apr 9, 2013 at 4:54 PM, Mark S. Miller <erights at google.com> wrote:
> Sorry, not preflight. Anne is right -- a normal GET does not require a
> preflight. Rather, the UMP and CORS cost that would be good to avoid if we
> can is the need for the need for the "Access-Control-Allow-Origin: *"
> header. But the conclusion is the same. Given a choice between this and
> credentials, I'd prefer to require this header.
1) Given translation you're required to use CORS for cross-origin
fetching to protect intranets (unfortunate as that may be). So like
<script src> is out of the equation. This also means the header is
required for such cross-origin resources.
2) I suspect you want a way to opt into using credentials (similar to
<script crossorigin=use-credentials src>), but I agree that by default
you should not include them (similar to <script crossorigin src>).
More information about the es-discuss