- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 01 Oct 2019 05:31:08 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 1 October 2019 12:31:30 UTC
User-agent-controlled credentials are only included for matching requests, but developer-controlled credentials will be copied from request to request. There's a proposal to scope a developer-controlled `Authorization` header to the origin of the initial request. (If you use other headers to carry credentials you are out of luck.) This might be reasonably compatible as `Authorization` is a header that requires a preflight (and does not allow wildcards) and redirects for preflights were not followed until recently. What's needed to move this forward: - [ ] Implementers need to be interested. - [ ] Tests need to be written to ensure it's dropped at the appropriate time (and other headers are not). - [ ] The specification needs to be updated to account for this. Perhaps by reusing https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name somehow. cc @whatwg/security -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/944
Received on Tuesday, 1 October 2019 12:31:30 UTC