|
|
|
|
|
|
by xg15
2053 days ago
|
|
|
The proposal talks about sites resolving to private/local addresses, so presumably, the browser would still apply the checks to all requests to that domain. The only thing that would not trigger CORS is if you somehow loaded a top-level document from that domain. (The address is in the browser's address bar) - however, a malicious website can't do that as this server is not under their control. |
|
|