Hot Take: CORS Is stupid and useless and a complete failure.
Put your secrets somewhere else. Function.prototype.toString makes JS a bad place to store secrets. Like putting keys in a fish tank.
-
-
To recap: Access-Control-Allow-Origin: * is the one true cross-origin optin ("I am not an intranet"). New APIs don't send credentials 1/
-
by default. New kinds of scripts are public by default and don't support credentials, so CORS not needed. Even intranets are vulnerable 2/
-
to Function.prototype.toString so don't give the illusion of security. New kind of content so doesn't affect billions of existing pages 3/3
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.