Idea we've been toying with: How about allowing anonymous (i.e. no credentials or cookies) cross-origin XHR/fetch? Note: This assumes additional guard rails for localhost/intranet/non-routables, plus a simple opt-out.
-
Show this thread
-
Replying to @lcamtuf
Well, the idea is that the enterprise would have full control over blocking via policy, in addition to any default restrictions.
3 replies 0 retweets 1 like -
-
Justin Schuh 😷 Retweeted Justin Schuh 😷
Justin Schuh 😷 added,
Justin Schuh 😷 @justinschuhReplying to @mik235 @lcamtufThe idea is to make it easy for sites to access to public resources, instead of forcing them to proxy everything through their own servers like they do today. That's why it would have to be opt-out (via default restrictions, enterprise policy, origin policy, header, etc.).1 reply 0 retweets 0 likes -
Replying to @justinschuh @lcamtuf
I don't follow, why can't public resources be marked public resources? I guess I'm describing CORS though, hah.
1 reply 0 retweets 5 likes -
Yup. Hence the problem. Public resources are overwhelmingly not marked public, so we have a mess of ugly proxies that create their own host of problems.
1 reply 0 retweets 0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
