Julia EvansFeb 5

something I'm struggling to understand about browser security is why you can send cross-origin POST requests with the user's cookies with a form, but the exact same fetch() call won't include the cookies

(I mean it's clear why we would NOT want to include the cookies, but it feels weird that it's allowed in one context but not in another)

Show threadJulia EvansFeb 5
i think the answer i'm hearing to this is that form submissions & the fetch() API were just invented at totally different times. When we decided how forms work it was a simpler time and we were more trusting and we're stuck with those decisions now
Show threadKofzmann
@b0rk any security rooted in JavaScript implementation like fetch is not safe, anyone can set http headers like a cookie in any kind of http request. Html forms are based on http only, fetch is client side scripting. Just security must be server side primarily
Feb 5 at 7:51pmWeb