- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 03 May 2016 23:34:47 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
Received on Wednesday, 4 May 2016 06:35:15 UTC
> +client.withCredentials = true > +/* … */</pre> > + > + <p>Nowadays, <code title>fetch("./", { credentials:"include" }).then(/* … */)</code> > + suffices. > +</div> > + > +<p><span title=concept-request>Request</span>'s > +<span title=concept-request-credentials-mode>credentials mode</span> is not necessarily observable > +on the server, only when <span>credentials</span> exist for > +<span title=concept-request>request</span> can it be observed. In such a scenario the > +<span>CORS request</span> would include <span>credentials</span>, but the > +<span>CORS-preflight request</span> would not. It never does. > + > +<p>The server developer therefore needs to decide whether or not resources "tainted" with > +<span>credentials</span> can be shared. Generally speaking, this is rather unsafe and extreme care I can maybe try doing that here. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/293/files/3c18527f11f87f44765b624c1152fe739204d783#r61994394
Received on Wednesday, 4 May 2016 06:35:15 UTC