- From: Chris Matheson <notifications@github.com>
- Date: Tue, 07 Nov 2017 13:00:52 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 7 November 2017 13:03:00 UTC
Possibly I'm still not completely understanding all the ins and outs of browser security, but i think what I'm trying to achieve is relatively simple.
I have a page served 100% over HTTPS, I'm using basic auth, with the username & password being held by the browser and (should) be sent with every request from there onwards.
I have added the `credentials: 'same-origin' ` to the fetch function call and for GET requests its included. but the same code path with a POST request does not include the header in the request.
```
fetch("/center/57023368c4d6931600216494", {headers: {"Content-Type": "application/json", Accept: "application/json"}, credentials: "same-origin", method: "GET"})
fetch("/users/find", {headers: {"Content-Type": "application/json", Accept: "application/json"}, credentials: "same-origin", method: "POST", body: "{\"center\":\"US testing\"}"})
```
I don't think this is a CORS issue since everything is talking to the same domain. Ive tried expanding to `credentials: 'include' ` but no difference. And I've seen the problem in both Safari & Chrome.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/628
Received on Tuesday, 7 November 2017 13:03:00 UTC