Re: [whatwg/fetch] More wildcards in CORS when used without credentials (#298) from Takeshi Yoshino on 2016-05-24 (public-webapps-github@w3.org from May 2016)

From: Takeshi Yoshino <notifications@github.com>
Date: Tue, 24 May 2016 01:40:31 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc:
Message-ID: <whatwg/fetch/pull/298/c221203386@github.com>

Sorry for delay.

lgtm but I want to make sure that it's fine that
- a user-agent may end up sending no credential even when credentials mode is set to include
- in such case, the server cannot know that the client is using `credentials mode == include` only by inspecting the received request, and therefore it's not safe to use the wildcard.

This means that developers are basically required to coordinate use of the wildcard between client code and server. Right?

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/298#issuecomment-221203386

Received on Tuesday, 24 May 2016 08:40:59 UTC