Mastodawn

something I'm struggling to understand about browser security is why you can send cross-origin POST requests with the user's cookies with a form, but the exact same fetch() call won't include the cookies

(I mean it's clear why we would NOT want to include the cookies, but it feels weird that it's allowed in one context but not in another)

Show thread

Julia Evans Feb 5

i think the answer i'm hearing to this is that form submissions & the fetch() API were just invented at totally different times. When we decided how forms work it was a simpler time and we were more trusting and we're stuck with those decisions now

Show thread

Rob Zazueta

@b0rk Wasn't the fetch API basically created in response to the rise of RESTful APIs and - perhaps more accurately - "ajax" asynchronous browser calls?

Form handling wraps it all up for you during a time when most of the server functionality we take for granted didn't exist - we used to use SSE for "GIF" animation!

So, yeah, simpler time in a lot of ways. HTML was never meant to be a full language, but Javascript changed that expectation.