Idea we've been toying with: How about allowing anonymous (i.e. no credentials or cookies) cross-origin XHR/fetch? Note: This assumes additional guard rails for localhost/intranet/non-routables, plus a simple opt-out.
-
-
How is that different from a blind request today? Or are you suggesting that an attacker would start using other hosts as zombies to proxy requests in order to avoid rate limiting?
-
[IMO ability to do blind requests is a historical SOP weakness, and there should be an opt-in way to whitelist origin entry points and methods of origin entry (e.g. "only permit entry via top-level link (e.g. no cross-origin script/image embedding), only to /entrypoint/*") :P]
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.