[whatwg/fetch] Allow setting `cookie` header in credential-less CORS requests (#268) from Jonas Sicking on 2016-04-04 (public-webapps-github@w3.org from April 2016)

From: Jonas Sicking <notifications@github.com>
Date: Mon, 04 Apr 2016 02:14:48 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/268@github.com>

I'm guessing that the reason we're forbidding the `cookie` header from being set for cross-origin requests is to prevent session-pinning attacks.

However is there a reason we're forbidding setting the `cookie` header for requests whose "credentials mode" is `"omit"` or `"same-origin"`.

Allowing setting the cookie headers on such requests could be useful to allow a website A to make requests to websites B using A's credentials to B rather than the user's credentials to B.

Note that I'm *not* suggesting that we make `cookie` a "simple header". That would be bad for the same reason that making `authorization` a "simple header" would be bad. I.e. that it could allow distributed brute-forcing credentials.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/268

Received on Monday, 4 April 2016 09:15:16 UTC