Idea we've been toying with: How about allowing anonymous (i.e. no credentials or cookies) cross-origin XHR/fetch? Note: This assumes additional guard rails for localhost/intranet/non-routables, plus a simple opt-out.
-
Show this thread
-
Replying to @justinschuh
what about services that use source IP for rate limiting / banning / abuse detection?
1 reply 0 retweets 1 like -
Replying to @tehjh
How is that different from a blind request today? Or are you suggesting that an attacker would start using other hosts as zombies to proxy requests in order to avoid rate limiting?
2 replies 0 retweets 0 likes
Replying to @justinschuh
yes, clients as zombies to proxy requests. probably not particularly likely in practice, but it seems like avoidable badness
6:19 PM - 18 Mar 2018
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.