Mark S. Miller
erights at google.com
Tue Apr 9 09:39:03 PDT 2013
On Tue, Apr 9, 2013 at 9:33 AM, Brandon Benvie <bbenvie at mozilla.com> wrote:
> On 4/9/2013 9:27 AM, Anne van Kesteren wrote:
>> 1) Given translation you're required to use CORS for cross-origin
>> fetching to protect intranets (unfortunate as that may be). So like
>> <script src> is out of the equation. This also means the header is
>> required for such cross-origin resources.
>> 2) I suspect you want a way to opt into using credentials (similar to
>> <script crossorigin=use-credentials src>), but I agree that by default
>> you should not include them (similar to <script crossorigin src>).
> Based on these two, it would seem to make sense to tie CORS to the
> translate step. If translation isn't needed (which is the common use case)
> then CORS isn't needed either.
That would be an annoying non-uniformity, but I see the sense of it.
However, if we do adopt that non-uniformity, we should still not send
credentials by default -- even if the request is same origin. In this
regard, we should strive to be safer than the script tag.
> es-discuss mailing list
> es-discuss at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss