Re: [whatwg/fetch] Should we send an Origin header for no-cors fetches? (#225) from Anne van Kesteren on 2016-08-10 (public-webapps-github@w3.org from August 2016)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 10 Aug 2016 06:57:36 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/225/238874536@github.com>

@tyoshino in https://github.com/whatwg/xhr/issues/31 you said @hiroshige-g would check this out but it never happened. I'd love for you to check my proposal.

Per https://bugzilla.mozilla.org/show_bug.cgi?id=1272302 it does seem that Chrome includes `Origin` for "no-cors" (and probably other cases) when method is POST.

I'm inclined to make these changes:

* Remove "omit-Origin-header flag"
* Change HTTP-network-or-cache fetch to include the `Origin` header when either _CORS flag_ is set or request's method is neither HEAD nor GET. (I could be convinced to only include it for POST, but it seems more reasonable to protect the other unsafe methods too.)

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/225#issuecomment-238874536

Received on Wednesday, 10 August 2016 13:58:04 UTC