Re: [fetch] Question about credentials mode of no-cors mode requests. (#168) from Ben Kelly on 2015-12-03 (public-webapps-github@w3.org from December 2015)

From: Ben Kelly <notifications@github.com>
Date: Thu, 03 Dec 2015 06:44:56 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/168/161660136@github.com>

> If my understanding is correct, there is no difference between "same-origin" and "include" when the request mode is "no-cors", because the credentials flag is set in HTTP fetch spec 4.3.

I don't think this is true.  If you are in "no-cors" and cross-origin then the response tainting is opaque.  So you trigger the "or response tainting is opaque" part of the second bullet there.

Not sure on the initial question, though.  Would be nice to hear from @annevk on this.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/168#issuecomment-161660136

Received on Thursday, 3 December 2015 14:45:30 UTC