[Proposal] New fetch mode "foreign-cors"

HKalbasi · August 26, 2020, 4:49pm

migrated from https://es.discourse.group/t/new-fetch-mode-foriegn-cors/441

In many use cases of fetching data from cross origins, It doesn’t matter “who” fetchs the data and data will be the same for every one. In those cases, cors is just a trouble and people often use cors proxies as a workaround.

Foriegn-cors

This mode fetch content as a standalone native app and don’t send any browser data, such as cookies, preferred language, … .

Why?

It fix most cases of cors problems
No need for cors-proxy
- no third party down time or gone away (like dead cors.io or crossorigin.me)
- no risk of man in the middle by proxy
Fill the gap between native app and web app

yoavweiss · August 27, 2020, 9:46pm

One of the reasons CORS is needed is to protect internal servers from request types they may not expect. See https://annevankesteren.nl/2015/02/same-origin-policy

HKalbasi · August 28, 2020, 8:39pm

Range of local IPs (e.g. 192.168.., 10...*, … ) can be forbidden. And user can customize this behavior and shape her internal network in browser setting. This setting can also be reused in raw-socket proposal