- From: sleevi <notifications@github.com>
- Date: Mon, 27 Feb 2017 12:18:02 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/341/282840284@github.com>
@annevk Right, I can understand why for same-origin, non-credentialed loads, this is not ideal. If I understand your proposal correctly, the idea is that it would be safe to send same-origin, non-credentialed loads on the same underlying transport iff that transport did not bear ambient authority? If we implemented that, my thought on the risks would be: * Cross-origin, non-credentialed loads would be distinguishable - We still need cross-origin loads to go over a distinct connection, because of our privacy stance with respect to things like 3P cookie blocking. That is, if you had a same-origin load for `google.com`, and send a cookie over it that connection, then even though a 3P request for `google.com` might be both HTTP-credential-less and transport-credential-less, you can associate that cookie with the transport connection, ergo undermining some of the intent of 3P cookie blocking. * Between socket late binding (as implemented in Chrome) and H/2's multiple streams, is there a risk of TOCTOU issues in which the socket is assigned because it's 'untained', but then 'tainted' before the request it sent? - I'm not sure how NTLM/Kerberos/Negotiate behave in an H/2 world, and this might already already be addressed in H/2 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/341#issuecomment-282840284
Received on Monday, 27 February 2017 20:18:42 UTC