- From: hiroshige-g <notifications@github.com>
- Date: Mon, 11 Apr 2016 03:16:59 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/26/208269265@github.com>
> Either we allow credentials in URLs or we don't. There's no middle ground here I think. I agree with this. Perhaps we can allow URLs with embedded credentials only if it is created by a relative URL in the Request constructor, but it might introduce subtle corner cases and I'm not sure it is more strict than allowing all URLs with embedded credentials. > Alternatively, just strip the credentials from the base when expanding relative urls. @annevk, how about stripping credentials from the base for all cases, not only for Fetch API? We have two mechanisms that can be used for authenticating in multiple pages: (1) authentication entries for Authorization headers and (2) propagation of the embedded credentials in URLs. (In Chrome 49/Firefox 45, the credentials embedded in URLs are propagated: if the URL of the main HTML contains credentials, the URLs of <iframe>s, <img>s, and XHRs etc. in the page also contain the same credentials.) If we can stop propagating credentials in URLs and rely only on authentication entries, we can make the spec/behavior simpler, prevent unintended propagation of credentials, and resolve this issue. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/26#issuecomment-208269265
Received on Monday, 11 April 2016 10:17:29 UTC