Open mnot opened 8 years ago
The solution here is Origin Policy I hope.
This is very similar to my comment here: https://bugs.chromium.org/p/chromium/issues/detail?id=590714#c17
I think this can be addressed by either setting additional headers to indicate a host-wide opt-in, or via something under .well-known
. Preflighting every single request in all cases is definitely excessive and the current CORS cacheing mechanism (keying on the full URL) is too granular to solve that problem.
Leveraging CORS here makes sense from a using-tools-that-are-already-defined standpoint, but this use is a poster child for how chatty CORS is.
In many cases, the decision about whether data is allowed is going to be origin-wide; either "yes, I'm on the Internet" or "no, I'm not."
See also whatwg/fetch#210.