- From: Takeshi Yoshino <notifications@github.com>
- Date: Mon, 11 Jan 2016 21:41:27 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Tuesday, 12 January 2016 05:41:57 UTC
So, the patched algorithm is: - request's credentials mode is `"include"` - request's credentials mode is `"same-origin"` and request's response tainting is `"basic"` Now it's clear that `"same-origin"` credentials mode works just based on whether the request being sent is same origin or cross origin except for the `"navigate"` mode. Anne, it seems the the `"same-origin"`+`"navigate"` combination will continue ignoring whether the current request is same origin or cross origin since its response tainting is "basic" and therefore the credentials mode is always set. Is this intentional? Based on the idea that `"navigate"` mode requests are always handled as if it's same origin regardless of `current url`? Given that the combination `"omit"`+`"no-CORS"` which looks meaningless is the default and we cannot kill it, I think keeping also the combination `"same-origin"`+`"no-CORS"` is more consistent. Agreed. --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/169#issuecomment-170801736
Received on Tuesday, 12 January 2016 05:41:57 UTC