- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 03 May 2016 23:34:47 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
Received on Wednesday, 4 May 2016 06:35:15 UTC
> +client.withCredentials = true
> +/* … */</pre>
> +
> + <p>Nowadays, <code title>fetch("./", { credentials:"include" }).then(/* … */)</code>
> + suffices.
> +</div>
> +
> +<p><span title=concept-request>Request</span>'s
> +<span title=concept-request-credentials-mode>credentials mode</span> is not necessarily observable
> +on the server, only when <span>credentials</span> exist for
> +<span title=concept-request>request</span> can it be observed. In such a scenario the
> +<span>CORS request</span> would include <span>credentials</span>, but the
> +<span>CORS-preflight request</span> would not. It never does.
> +
> +<p>The server developer therefore needs to decide whether or not resources "tainted" with
> +<span>credentials</span> can be shared. Generally speaking, this is rather unsafe and extreme care
I can maybe try doing that here.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/293/files/3c18527f11f87f44765b624c1152fe739204d783#r61994394
Received on Wednesday, 4 May 2016 06:35:15 UTC