No Apple just don't even allow you to install a non Webkit browser from the app store on their phones.
Why waste time advertising on competitor's websites when you can just stop them from using competitors altogether (or at least require them to use you at the same time)
By default, under the same origin policy, a browser won't allow requests cross origin.
But there are valid situations where you want a request from 1 domain to be made to other domains. This is where CORS comes in.
CORS is a mechanism to loosen security, not increase it. It allows a server to say, these are the domains (outside my own domain) who can make requests. CORS headers should be set carefully so that you are only allowing the domains that should be allowed through.
> CORS is a mechanism to loosen security, not increase it.
Or we could call it CORB instead (Cross origin request blocking), and then we see it's a mechanism to tighten security. Since fundamentally, what we have is an agreement against major web browser vendors that blocks cross origin requests unless the web server authors have used CORS.
I mean, how many people have encountered a problem with CORS? Almost no-one, and those that have encountered a problem with CORB and solved it by enabling a shitty CORS that opened the doors. (At least, they're fixing security holes in software that was written by devs who encountered a CORB problem and fuxed it. But all CORS problems follow a CORB problem.)
If we called it by its true name, maybe it would help people understand what's happening. Names are important. If developers understand CORB, they will potentially understand CORS. But no-one can understand CORS till they've understood CORB.
> By default, under the same origin policy, a browser won't allow requests cross origin.
Save a rather short-but-impactful list of exceptions.
> CORS is a mechanism to loosen security, not increase it.
Would that everyone shared your understanding.
Add in these two insights to those we are enlightening:
* CORS is enforced by the browser, so no, your curl command working doesn't say your service is fine
* That error message in the browser about 'no-cors'? It is 99% likely that no-cors is NOT what you want, so the error message is just misleading and unhelpful
> This stuff isn't relevant at all to the talk - he never talks about npm or anything to do with package managers but instead how node does imports etc.
He does have it in his slides.
Slide titled: "Regret: package.json", last 2 points:
> Ultimately I included NPM in the Node distribution, which much made it the defacto standard.
> It's unfortunate that there is a centralized (privately controlled even) repository for modules.
I'm a kiwi, who lived in the US from the age of 8 to 13 (1998 - 2003).
I remember getting into a massive argument with an Elementary school teacher who tried to tell me I was wrong when I told her that my country was not in fact part of the country of Australia (not just continent, but she was adamant it was part of the Australian country).
Bad news mate, much like we claim anyone famous from NZ, we also claim the entire land mass:
Australian constitution, premable [corrected]:
"The States shall mean such of the colonies of New South Wales, New Zealand, Queensland, Tasmania, Victoria, Western Australia, and South Australia, including the northern territory of South Australia [...] and each of such parts of the Commonwealth shall be called a State."
Apparently those words mean NZ is "pre-approved" to join the Commonwealth of Australia and she can unilaterally join at a time of her choosing [1]. If true, it would make for an interesting scenario if acted upon.
Hah, yeah I wasn't really suggesting it. Just one of those quirks. I am no lawyer but I suspect we couldn't write up some paperwork to claim a country without them agreeing to it anyway.
dep is still the officially recommended way to go for now. Russ Cox has mentioned in his blog posts on vgo that they will be working hard to ease the transition from dep to the built in versioning tools.
Which means at some point, we have to switch from dep to vgo. although the transaction could be smooth, but the methodology behind it must have changed, and that would not be a smooth transaction for our mindset.
> Apparently making the dependency-manager's code simpler is a goal
That isn't the goal at all. The goal of Minimal Version Selection is to ensure that the version selected is closest to that which was tested by the app and its dependencies.
> worth removing developer's ability to be expressive and removing security updates.
And that isn't true either. It allows the developer of both the app and its dependencies to express the version they have tested against, and still allow the developer to receive security updates by explicitly increasing the version, allowing them to test that the update doesn't create problems while doing so.
It allows for version pinning without the need for a lock file.
Why waste time advertising on competitor's websites when you can just stop them from using competitors altogether (or at least require them to use you at the same time)