Julia EvansFeb 5

something I'm struggling to understand about browser security is why you can send cross-origin POST requests with the user's cookies with a form, but the exact same fetch() call won't include the cookies

(I mean it's clear why we would NOT want to include the cookies, but it feels weird that it's allowed in one context but not in another)

Show threadJulia EvansFeb 5
i think the answer i'm hearing to this is that form submissions & the fetch() API were just invented at totally different times. When we decided how forms work it was a simpler time and we were more trusting and we're stuck with those decisions now
Show threadednl 🇪🇺
@b0rk Yep, definitely that. Though it would be interesting to know when exactly cookies started being sent by form posts (I guess always because it's just another http request). It seems both were invented in 1994, cookies by Lou Montulli at Netscape, forms by people making the Viola browser. As a budding web developer in those days (from about 1997) I always used forms but had to really get my head around cookies.
Feb 5 at 7:58pmWeb