QUERY: What to say about CORS?

[nicowilliams]

A safe method with a request body should probably have the same CORS handling as GET, I think.

[MikeBishop]

CORS is not a feature of HTTP itself; it's something defined at the browser level on top of HTTP.

[reschke]

That's an interesting question, but I'm not sure that touching CORS is going to work. But certainly we can make the Fetch authors think about it.

[nicowilliams]

The Security Considerations section certainly could say something to the effect that because QUERY is a safe and idempotent method, something like: "we expect that CORS should evolve to treat QUERY in a substantially similar way as GET".

HTML too will need extensions to support the use of QUERY from HTML. My guess is that JavaScript will probably get support for QUERY before HTML. Cross-origin QUERY requests ought to work as well as cross-origin GETs.

[reschke]

We usually do not put requests to other standards bodies into our specs.

If we feel that something should be done, we ought to discuss that in their discussion venue.

[nicowilliams]

Text about this can say something like: "We expect that an upcoming update to CORS will handle QUERY similar to GET, however, we cannot update CORS. Implementors should watch for updates to CORS."

[reschke]

we could but it's rather pointless and likely wouldn't get past last call.

[nicowilliams]

I don't see why non-normative language would be removed at WGLC or IETF LC, but you could always merely note that currently CORS cannot and does not say anything about QUERY.

[reschke]

Why would Javascript need extensions for QUERY?

[reschke]

See whatwg/fetch#1774