- From: Yves Lafon <notifications@github.com>
- Date: Tue, 19 Dec 2017 22:40:38 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 20 December 2017 06:41:00 UTC
@dbaron re: https://dbaron.github.io/with-credentials/ See [This stack overflow example](https://stackoverflow.com/questions/19325314/how-to-detect-cross-origin-cors-error-vs-other-types-of-errors-for-xmlhttpreq) This shows that figuring out the kind of error is indeed an issue for devs, also that the solution of doing multiple requests in different modes is presented as a potential solution. But this solution adds latency and is not really satisfying. People tend to use the solution to echo back the origin (your 2/ in use-cases) but IIRC there was an issue with some browser on handling Vary in cache, and basically always echoing back origin is as dangerous as the proposed 'public-deauth'. The lack of libraries that do retry is a symptom that people are using the more dangerous option of echoing back the origin instead of relying on a library that would do retries for every network error. Of course opening up the error to include more details on why things failed would allow a library to do the right thing (like in plain http, when credential can be added after a 401 response for a subsequent request), but it would give more information that is needed to a potential malicious script. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/76#issuecomment-352978657
Received on Wednesday, 20 December 2017 06:41:00 UTC