Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QUERY: What to say about CORS? #2898

Closed
nicowilliams opened this issue Sep 16, 2024 · 9 comments
Closed

QUERY: What to say about CORS? #2898

nicowilliams opened this issue Sep 16, 2024 · 9 comments

Comments

@nicowilliams
Copy link

A safe method with a request body should probably have the same CORS handling as GET, I think.

@MikeBishop
Copy link
Contributor

CORS is not a feature of HTTP itself; it's something defined at the browser level on top of HTTP.

@reschke
Copy link
Contributor

reschke commented Sep 17, 2024

That's an interesting question, but I'm not sure that touching CORS is going to work. But certainly we can make the Fetch authors think about it.

@nicowilliams
Copy link
Author

The Security Considerations section certainly could say something to the effect that because QUERY is a safe and idempotent method, something like: "we expect that CORS should evolve to treat QUERY in a substantially similar way as GET".

HTML too will need extensions to support the use of QUERY from HTML. My guess is that JavaScript will probably get support for QUERY before HTML. Cross-origin QUERY requests ought to work as well as cross-origin GETs.

@reschke
Copy link
Contributor

reschke commented Sep 18, 2024

We usually do not put requests to other standards bodies into our specs.

If we feel that something should be done, we ought to discuss that in their discussion venue.

@nicowilliams
Copy link
Author

Text about this can say something like: "We expect that an upcoming update to CORS will handle QUERY similar to GET, however, we cannot update CORS. Implementors should watch for updates to CORS."

@reschke
Copy link
Contributor

reschke commented Sep 18, 2024 via email

@nicowilliams
Copy link
Author

I don't see why non-normative language would be removed at WGLC or IETF LC, but you could always merely note that currently CORS cannot and does not say anything about QUERY.

@reschke
Copy link
Contributor

reschke commented Sep 18, 2024

Why would Javascript need extensions for QUERY?

@reschke
Copy link
Contributor

reschke commented Sep 19, 2024

See whatwg/fetch#1774

reschke added a commit that referenced this issue Nov 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants