Idea we've been toying with: How about allowing anonymous (i.e. no credentials or cookies) cross-origin XHR/fetch? Note: This assumes additional guard rails for localhost/intranet/non-routables, plus a simple opt-out.
-
Show this thread
-
Replying to @justinschuh
what about services that use source IP for rate limiting / banning / abuse detection?
1 reply 0 retweets 1 like -
Replying to @tehjh
How is that different from a blind request today? Or are you suggesting that an attacker would start using other hosts as zombies to proxy requests in order to avoid rate limiting?
2 replies 0 retweets 0 likes -
Replying to @justinschuh
[IMO ability to do blind requests is a historical SOP weakness, and there should be an opt-in way to whitelist origin entry points and methods of origin entry (e.g. "only permit entry via top-level link (e.g. no cross-origin script/image embedding), only to /entrypoint/*") :P]
1 reply 0 retweets 0 likes
9:18 PM - 18 Mar 2018
0 replies
2 retweets
4 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.