Clarify default behavior and usage of the mode option

sindresorhus · Jul 19, 2024 · 0858dd0 · 0858dd0
1 parent 81efa9d
commit 0858dd0
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/readme.md b/readme.md
@@ -136,7 +136,7 @@ import ky from 'https://esm.sh/ky';
 The `input` and `options` are the same as [`fetch`](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch), with some exceptions:
 
 - The `credentials` option is `same-origin` by default, which is the default in the spec too, but not all browsers have caught up yet.
-- The `mode` option is `same-origin` by default, as the `no-cors` default used by `fetch` is confusing and unsafe. If you need to make cross-origin requests, set the `mode` to `cors`.
+- The `mode` option is `same-origin` by default for improved security. If you need to make requests to a different [origin](https://developer.mozilla.org/en-US/docs/Glossary/Origin) (hostname, port, or protocol) than where Ky is running, then you should set the mode, preferably to `cors` if the server supports [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) (as most APIs do), or `no-cors` if it doesn't or you're unsure. Note that browsers [limit the headers](https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header-name) that can be sent with a `no-cors` request and they return an [opaque response](https://fetch.spec.whatwg.org/#concept-filtered-response-opaque) that cannot be read. This option has no effect in server-side environments such as Deno, Node.js, and Cloudflare Workers, where you can generally make requests to any origin without restrictions.
 - Adds some more options. See below.
 
 Returns a [`Response` object](https://developer.mozilla.org/en-US/docs/Web/API/Response) with [`Body` methods](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#body) added for convenience. So you can, for example, call `ky.get(input).json()` directly without having to await the `Response` first. When called like that, an appropriate `Accept` header will be set depending on the body method used. Unlike the `Body` methods of `window.Fetch`; these will throw an `HTTPError` if the response status is not in the range of `200...299`. Also, `.json()` will return an empty string if body is empty or the response status is `204` instead of throwing a parse error due to an empty body.