Re: [whatwg/fetch] Vary HTTP cache on credentials mode (#307) from sleevi on 2017-03-08 (public-webapps-github@w3.org from March 2017)

From: sleevi <notifications@github.com>
Date: Wed, 08 Mar 2017 09:57:50 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/307/285116968@github.com>

@annevk Apologies for my own ignorance, but no, because I'm still struggling with working through the 'unsafe' aspect. I'm trying to help make sure this gets prioritized appropriately for Chrome - and that we either express positive or negative signals - but I'm struggling with understanding the 'negative' scenario.

That is, I'm imagining this scenario

`http://example.com/` - without the *credentials* flag set, returns no ACAO header, sets no `Vary` header, and just says "Anonymous"
`http://example.com/` - with the *credentials* flag set, returns `Access-Control-Allow-Origin: *` header, sets no `Vary` header, and says "Authenticated"

Now, we have same-origin and cross-origin accesses to these resources, with and without credentials.

What I'm trying to understand is why the bug _isn't_ with the omission of `Vary: Cookie, WWW-Authenticate`. I'm not sure your phrasing in https://github.com/whatwg/fetch/issues/307#issuecomment-285113449 is what I'd agree with, if only because isn't this what `Vary` is supposed to be for?

Your statement about TLS certificates leaves me similarly confused, because I would have understood if the argument is that because TLS is a transport-level authentication mechanism, you can't `Vary` it in the Response. Further, I could understand/appreciate if the argument was that the existence of connection-based authentication headers that abuse(d) HTTP/1.1 (namely, NTLM, Kerberos, and Negotiate) means that some requests would omit the `HTTP-Authorization` header, and thus fail to be able to be `Vary`'d on them.

To me, I read that similar to what @mnot suggested originally (if I understood https://github.com/whatwg/fetch/issues/307#issuecomment-282898783 correctly), which is that the existence of intermediate proxies means that this is already a problem - but only for servers that vary the content on the same resource identifier based on what `fetch()` calls "credentials" but which are actually a complex set of relationships - both part of HTTP and of the underlying transport.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/307#issuecomment-285116968

Received on Wednesday, 8 March 2017 17:58:22 UTC