- From: Yves Lafon <notifications@github.com>
- Date: Mon, 15 May 2017 13:02:33 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 15 May 2017 20:03:24 UTC
In the case of a preflight, then the subsequent request should avoid sending credential, for an initial cross-domain GET, the result should not be presented at the caller directly, and yes a new request without credential would be the right way to go. It would be suboptimal in terms of latency, but better than blocking. I don't think that `\*public-auth\*` is what TAG people wanted, as it is more likely to cause unwanted leaks, the main issue was really for public resources blocked when using '\*' and its implication on knowing context+URL to address a resource. Also the fact that the 'echo back Origin' recipes are used sometimes without realizing the issue, just as a workaround for the issue people have with '\*' (hence the proposal to have a less confusing name for it). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/517#issuecomment-301588296
Received on Monday, 15 May 2017 20:03:24 UTC