Re: [whatwg/fetch] Allow connection reuse for request without credentials when TLS client auth is not in use (#341) from sleevi on 2017-02-27 (public-webapps-github@w3.org from February 2017)

From: sleevi <notifications@github.com>
Date: Mon, 27 Feb 2017 14:24:43 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/341/282876465@github.com>

@annevk Yup. I'm not defending it as a good policy, if only because I'm not sure I agree with it given http://www.chromium.org/Home/chromium-security/client-identification-mechanisms

Basically, any request that explicitly opts to not include cookies goes over a connection guaranteed to have never sent cookies (modulo any bugs) or authentication information, while any connection that 'could' or 'has' cookies or authentication information goes over a different connection.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/341#issuecomment-282876465

Received on Monday, 27 February 2017 22:25:18 UTC