On Tue, Apr 9, 2013 at 4:54 PM, Mark S. Miller <[email protected]> wrote: > Sorry, not preflight. Anne is right -- a normal GET does not require a > preflight. Rather, the UMP and CORS cost that would be good to avoid if we > can is the need for the need for the "Access-Control-Allow-Origin: *" > header. But the conclusion is the same. Given a choice between this and > credentials, I'd prefer to require this header.
1) Given translation you're required to use CORS for cross-origin fetching to protect intranets (unfortunate as that may be). So like <script src> is out of the equation. This also means the header is required for such cross-origin resources. 2) I suspect you want a way to opt into using credentials (similar to <script crossorigin=use-credentials src>), but I agree that by default you should not include them (similar to <script crossorigin src>). -- http://annevankesteren.nl/ _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
