[Spivak]

It shouldn't because this was always possible if someone really cared to just run their own public server with a /dig endpoint. If web security depends on websites not having access to public data that could always be proxied to it then we're already screwed.

[xg15]

> It shouldn't because this was always possible if someone really cared to just run their own public server with a /dig endpoint.

A lot of web features had always been possible by simply running them on your own server: Cross-origin requests, generating images on-demand, rendering vector graphics, etc. Nevertheless, when those features became available in the browser - without any additional effort needed from the developer - it had massive effects on the web ecosystem.

I can't say I have answers, but my suspicion is that it makes a significant difference in friction whether a feature requires you to setup and run your own infrastructure or whether you just need to type in some javascript to use it.

> If web security depends on websites not having access to public data that could always be proxied to it then we're already screwed.

To some extent it does - that's why you cannot access the body cross-origin GET requests or the contents of cross-origin iframes without those sites opting in - even if no cookies or other credentials are sent with the reqest.