Julia EvansFeb 5

something I'm struggling to understand about browser security is why you can send cross-origin POST requests with the user's cookies with a form, but the exact same fetch() call won't include the cookies

(I mean it's clear why we would NOT want to include the cookies, but it feels weird that it's allowed in one context but not in another)

Show threadjcoglanFeb 5
@b0rk partly historical reasons and partly that script cannot read the response to a POST submitted via a form. letting it send the request still carries risk though
Show threadjcoglanFeb 5
@b0rk (a long time ago I have had to do cross origin work by making a script construct a <form> and submit it)
Show threadJulia EvansFeb 5

@jcoglan it feels like we think allowing this kind of cross-origin POST request is bad but also once we realized that it was bad it was too late to change it

(though I guess browsers are actually evolving the SameSite defaults so things are changing slowly)

Show threadwwarner
@b0rk @jcoglan cors is so pitiful. this is only one example. who thought silently making an extra, uncacheable OPTIONS request was a good idea?
Feb 5 at 8:44pmWeb
Show threadjcoglanFeb 5
@wwarner @b0rk I maintain a pub sub messaging library and I've been mad about this for about 15 years at this point :) I also somewhere have a notes file on CORS because it is so baffling, if that would be useful