Fetch discussion on CORS for reporting requests

# Emily Stark (3 days ago)

I wanted to draw attention to a discussion we're having on Fetch about the fact that certain requests are de facto exempted from sending CORS preflights: whatwg/fetch#567

The gist of it is that various specs include various types of "special" requests without CORS preflights, even though they are triggered by web content, to a URL controlled by web content, and are not safe/simple requests. (CSP reports, HPKP reports, OCSP requests, etc.)

Realistically, browsers aren't going to start preflighting these requests anytime soon, for various reasons including compatibility, layering considerations, and implementation challenges. So we figure we might as well document the exceptions in Fetch rather than try to coerce these strange requests into CORS.

If you have any opinions, please share them on the bug.

Contact us to advertise here

Want more features?

Request early access to our private beta of readable email premium.