Add unsafe-no-cors mode #1533
Open
Add unsafe-no-cors mode #1533
Commits on Nov 7, 2022
-
We identified a potential need for a more sustainable no-cors mode in discussion surrounding FedCM. The purpose is to create a browser-process priveleged mode that will not fail the Access-Control-Allow-Origin CORS checks while otherwise behaving like a normal CORS request. Here are the deviations I have made from cors mode to make unsafe-no-cors are: - do not perform the "CORS check" (ACAO/ACAC) - allow the request to set a new omit origin flag that forces omission of the Origin header - require a request to have a policy container specified (via the client is allowed) - require the service worker mode to not be all Because this is such an unsafe mode I added an explanation inline with the other definitions of request modes and a warning about concerns and hand-waves about the client's agent cluster. Happy to get feedback on this draft!
Commits on Nov 14, 2022
Commits on Nov 22, 2022
Commits on Nov 30, 2022
-
First attempt at placing the Origin header under full control of "uns…
…afe-no-cors" mode
Commits on Jan 16, 2023
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.