Re: [w3ctag/design-reviews] "With Credentials" flag possibly inconsistent with web architecture (#76)

The issue is that Libraries can't retry for all network errors, as that would be really bad performance-wise (and in general).

As Tim [stated](#issuecomment-140483668), the main issue is that unlike in HTTP, this is not possible to "follow your nose", unlike HTTP for cases where ambient authority is needed (401) or client accept list (406). (Note that there is no "don't use credentials" in HTTP, like if you want cookie dropped). This leads to a situation where you need to know more about the URL than just... the URL, unless every URL uses the footgun option of always echoing the Origin, or use a server that will do proxying and rewrite  CORS headers to avoid this issue. (and that is also why getting numbers based on the existence of libraries that could not even fix the issue properly is not a good metric)

The proposal to use another value than `*` for ACAO is just one way to minimise the impact on the existing behaviour, but there are other ways to address the issue:

* Use another error than `network error` when credentials are sent and ACAO is `*`. After all, if `*` is used, it means that it should be safe to know about this URL. Returning another error code would allow Libraries to retry if needed. Just that change would be helpful and not have a huge impact on the overall security.
* Change the default for ACAO when `*` is sent to do what was proposed in `*public-deauth*`, but that can have an impact if some code rely on the error sent back.
* `*public-deauth*` as proposed
* Replace URLs with something like [EPRs](https://www.w3.org/TR/2006/REC-ws-addr-core-20060509/#eprs) to describe what kind of context would be needed, however, I think nobody wants to go there 😉 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/76#issuecomment-359392383