| > Does the browser not send a TLS client cert for fetch requests that don't send credentials? I think it doesn't. From MDN: “Credentials are cookies, TLS client certificates, or authentication headers containing a username and password.” > Another type of authentication is sites that only allow requests from certain source IP ranges. This one can be tricky, yeah. Ideally such devices would check Origin header, but that ship has sailed I guess. --- But I think it should be pretty safe to allow cross-origin requests that: - don't use credentials and - don't go to a private network. This means that evil.com can GET https://email.com/ without CORS, but the response won't be personalized to user (so they can read the landing page but not your messages). They can also POST https://email.com/api/send, but that wouldn't do anything as again we don't include credentials. good.com will send a request with credentials and in this case CORS should be checked indeed. If evil.com tries to POST https://192.168.0.1/reboot we require CORS too since it's in a private net. If evil.com tries to GET https://192.168.0.1/config we don't send preflight but check CORS headers on the response before allowing to read it. If your site is on public net and you authorize users solely by IP – that's on you. |