Hot Take: CORS Is stupid and useless and a complete failure.
You could follow by admitting that secrets in credentialed JS makes no sense: due to execution and toString, JS content is always public.
-
-
Then you solve for the intranet use case, which, in the absence of credentials can be solved via a single ACAO: * header.
-
You can't opt all scripts into a better public world, but we can do that for modules: assume from the get-go that modules aren't protected.
-
Put your secrets somewhere else. Function.prototype.toString makes JS a bad place to store secrets. Like putting keys in a fish tank.
-
To recap: Access-Control-Allow-Origin: * is the one true cross-origin optin ("I am not an intranet"). New APIs don't send credentials 1/
-
by default. New kinds of scripts are public by default and don't support credentials, so CORS not needed. Even intranets are vulnerable 2/
-
to Function.prototype.toString so don't give the illusion of security. New kind of content so doesn't affect billions of existing pages 3/3
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.