You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Chrome Apps are able to bypass CORS checks after adding host permissions to the manifest. It would be great if IWAs (and PWAs too, but I'm not holding my breath for that happening) were able to fetch any resources even if they don't have CORS headers declared.
An example use case is using Steam's public HTTP API, which doesn't declare CORS headers, probably because they assume it will be used by native apps not subject to such restrictions.
With the introduction of <controlledframe>, such restrictions are a pointless hassle because the IWA can simply load the desired resource in the CF and extract it.
The text was updated successfully, but these errors were encountered:
Chrome Apps are able to bypass CORS checks after adding host permissions to the manifest. It would be great if IWAs (and PWAs too, but I'm not holding my breath for that happening) were able to fetch any resources even if they don't have CORS headers declared.
An example use case is using Steam's public HTTP API, which doesn't declare CORS headers, probably because they assume it will be used by native apps not subject to such restrictions.
With the introduction of
<controlledframe>, such restrictions are a pointless hassle because the IWA can simply load the desired resource in the CF and extract it.The text was updated successfully, but these errors were encountered: