I talked myself out of writing 'GET /quitquitquit' handlers for debugging because of CSRF, but I guess enough people haven't that we have to make browsers just deny access. I think that's probably fine.
Is anyone working on making CORS stricter? I have always been annoyed that you can do cross-origin GETs and form submissions without a preflight. Whenever I Google it I just find people talking about how the existing CORS restrictions ruin their lives. Personally, never had a problem, so I'm not sure what all the fuss is about.
Is anyone working on making CORS stricter? I have always been annoyed that you can do cross-origin GETs and form submissions without a preflight. Whenever I Google it I just find people talking about how the existing CORS restrictions ruin their lives. Personally, never had a problem, so I'm not sure what all the fuss is about.