Re: [spec-reviews] "With Credentials" flag possibly inconsistent with web architecture (#76) from Jonas Sicking on 2016-02-16 (public-webapps-github@w3.org from February 2016)

From: Jonas Sicking <notifications@github.com>
Date: Tue, 16 Feb 2016 13:35:36 -0800
To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Message-ID: <w3ctag/spec-reviews/issues/76/184883538@github.com>

> You make the point that it is useful to give more power to a JS app to operate at a lower level, and do explicit HTTP requests with the method and headers all added. Yes, this is useful. It would be useful also to understand and select which certs, passwords, or cookies were used.

Agreed. I think it'd be very useful to allow fetch() to specify things like which certs should be used. It might even be useful to allow fetch() to specify which client-side cert should be used, as well as which server-side certs should be trusted.

> But that is not the function which we are talking about when we talk about just taking one URI param. That function is a high-level function to look up a URI, doing the right thing at ll points. It is very common. It only does get, It follows redirects. It provides authentication where it needs to, asking the user without the dev having to be involved.

`fetch(url)` almost does this. But as has been pointed out, it doesn't provide authentication for cross-site requests.

However `fetch(url, { credentials: "include" })` does exactly what you describe above.

So it sounds like you are fine with CORS to have different security modes. And that you are fine with the `fetch` and `XMLHttpRequest` APIs providing the ability to configure parameters such as HTTP method, headers and CORS security mode.

What you don't like is the default value that the `fetch` and `XMLHttpRequest` APIs use for the CORS security mode?

Is that correct?

> Web app devs rely on the browser doing the right thing. This function no longer exists.

I hope I made it clear above that the functionality you are requesting exists. It is just not the default behavior of the `fetch` and `XMLHttpRequest` APIs. But it certainly exists.

> It is needed not only be developer of apps, but also of frameworks which lookup URIs on the web as part of their work. The signature of the function is get(uri) not get(uri,credentialFlag). This is currently broken.

You don't need to make the signature `get(uri, credentialsFlag)` any more than you need to make the API `get(uri, headers, method)`. All you need to do is to pass the correct parameters to the `fetch` or `XMHttpRequest` APIs if you are calling those.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/issues/76#issuecomment-184883538

Received on Tuesday, 16 February 2016 21:36:15 UTC