Re: [whatwg/fetch] Explain CORS protocol and credentials interaction (#293)

> +client.withCredentials = true
> +/* &hellip; */</pre>
> +
> + <p>Nowadays, <code title>fetch("./", { credentials:"include" }).then(/* &hellip; */)</code>
> + suffices.
> +</div>
> +
> +<p><span title=concept-request>Request</span>'s
> +<span title=concept-request-credentials-mode>credentials mode</span> is not necessarily observable
> +on the server, only when <span>credentials</span> exist for
> +<span title=concept-request>request</span> can it be observed. In such a scenario the
> +<span>CORS request</span> would include <span>credentials</span>, but the
> +<span>CORS-preflight request</span> would not. It never does.
> +
> +<p>The server developer therefore needs to decide whether or not resources "tainted" with
> +<span>credentials</span> can be shared. Generally speaking, this is rather unsafe and extreme care

I can maybe try doing that here.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/293/files/3c18527f11f87f44765b624c1152fe739204d783#r61994394

Received on Wednesday, 4 May 2016 06:35:15 UTC