Re: [whatwg/fetch] Drop developer-controlled Authorization header on cross-origin redirects (#944) from Patrick Toomey on 2019-10-01 (public-webapps-github@w3.org from October 2019)

From: Patrick Toomey <notifications@github.com>
Date: Tue, 01 Oct 2019 07:22:14 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/944/537059998@github.com>

> (If you use other headers to carry credentials you are out of luck.)

I'm sure there is a good reason for this, so apologies if this has been discussed to death; is there a thread that discusses the motivation of sending custom-set headers by default on redirects to cross-origin domains? The `Authorization` header seems an obvious candidate for not being sent cross-origin. But, what if folks are doing stuff like `MyApp-API-Token: .....`? Intentional redirect to third-parties are not super rare, and it seems surprising/a possible foot-gun to relay all custom headers to another origin without the caller opting into that behavior. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/944#issuecomment-537059998

Received on Tuesday, 1 October 2019 14:22:35 UTC