| 01:33 | <MikeSmith> | somebody could probably make a full-time job out of responding to stackoverflow questions from people confused by CORS |
| 01:34 | <MikeSmith> | http://stackoverflow.com/questions/35821855/why-is-cors-disabled-by-default |
| 01:34 | <MikeSmith> | but I dunno how much can or should be done in the Fetch spec itself to try to make any of it more clear |
| 01:35 | <MikeSmith> | I think instead that sources like MDN need to make some things more clear |
| 01:35 | <MikeSmith> | like, I think most developers first using CORS almost always are surprised when they find out it doesn’t send credentials by defaut |
| 01:38 | <MikeSmith> | so a big prominent note in MDN saying "Important: The Fetch and XHR APIs do not send credentials by default in cross-origin requests. To have them send credentials, you must…” would help |
| 03:22 | <rniwa> | MikeSmith |
| 03:22 | <rniwa> | MikeSmith: yeah, I think we need a better documentation on how cross origin security works in general |
| 03:22 | <rniwa> | MikeSmith: geared towards authors |
| 03:31 | <MikeSmith> | Yeah |
| 03:32 | <MikeSmith> | clearly it's non-intuitive for a lot of people |
| 04:11 | <terinjokes> | MikeSmith: i people i work with or help, i see a bunch of kludgey workarounds because someone didn't know how to send credentials |
| 04:33 | <MikeSmith> | terinjokes: so yeah it’s especially bad if the confusion causes cases like that |
| 05:23 | <annevk> | Workarounds might be better than security holes |
| 05:28 | <rniwa> | annevk: well, it would be equally bad if the workarounds was creating a new security hole though |
| 05:29 | <rniwa> | annevk: like... i've seen people creating JSONP to workaround same origin policy without realizing that they're just creating a security hole... |
| 05:29 | <rniwa> | annevk: or copying/pasting CORS headers without knowing what they mean |
| 05:30 | <rniwa> | annevk: because "it works" :( |
| 05:30 | <annevk> | Sure, I guess there is no real defense against that |
| 05:35 | <DocTheMedic> | hey, is this a good place to ask for "current" web design ideas? |
| 06:38 | <MikeSmith> | so the entirety of w3.org on the Internet seems to be down at the moment |
| 06:38 | <MikeSmith> | ah maybe it just now came back |
| 06:38 | <MikeSmith> | yeah, seems so |
| 06:48 | <annevk> | DocTheMedic: if you're looking for web architecture design, maybe, but web design not really |
| 07:01 | <DocTheMedic> | ah darn |
| 07:02 | <DocTheMedic> | i got the sketch, but the person wants a matrix-like website, and i'm drawing a blank on how to make it like a 2016ish website, not a 1996 website, lol |
| 07:02 | <DocTheMedic> | minor issue really, thanks tho |
| 09:47 | <annevk> | Domenic: https://www.w3.org/Bugs/Public/show_bug.cgi?id=18242 might be worth looking at |
| 19:09 | <Domenic> | annevk: related https://github.com/whatwg/html/issues/473 which I still need to fix :( |
| 19:41 | <annevk> | Domenic: I see, that looks tough |