- From: Mark Nottingham <notifications@github.com>
- Date: Wed, 03 Feb 2016 14:36:28 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/210/179506649@github.com>
@annevk the method name doesn't really make a difference; it's compatibility with existing HTTP caching infrastructure that's important. @sicking - yes, that can be detected, but then we need to figure out how to cache it. Just a max-age sin't sufficient; we need to know if it can be reused for other users, how to invalidate it, etc. HTTP caching is quite well-developed in this respect, so it doesn't make much sense to reinvent the wheel. I agree a server-wide opt-in is interesting; that draft was more of a thought experiment, and I'm happy to put it to the side for the moment. It minimises the round-trip problem (because it's once per origin) and it is a separate resource, so it works well with caches. WRT credentials - I believe that the (very large) customers (that unfortunately I can't reveal) that I'm aware of for this will be wanting authentication. If we *can* make it possible to use for credentialed requests, it also might help address https://github.com/w3ctag/spec-reviews/issues/76. AIUI the issue is that giving an easy switch for credentials in a central place is a footgun. Would that be mitigated sufficiently by requiring something this in the well-known file? ~~~ credentials = "I understand that this makes all authenticated content on this site available to the sites below, and that this can represent a serious security issue." credentials_origins = foo.com bar.com baz.com ~~~ First value being character-by-character case-sensitive. Would have to discuss whether `credentials_origins` would allow `*`. --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/210#issuecomment-179506649
Received on Wednesday, 3 February 2016 22:37:00 UTC