|
|
|
|
|
|
by captainmuon
1223 days ago
|
|
|
Sending credentials and cookies to third party sites is the original sin. It should have never happened. We keep it because it is useful for advertizers [1]. Same-origin is just a huge and complicated band-aid to close the gap. Without same-origin and credential passing, you could have really cool mashup apps - one page could scrape another (uncooperating) one and display the results in a new way. Heck, you could write a browser in a browser if you wanted. [1] How would you implement third-party login and similar useful things without it? Your page's script could pass the neccessary cookies explicitly to the third party script, or you could go around the backend and have server A tell server B who a session belongs to. |
|
|