- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 27 Feb 2017 16:32:45 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 28 February 2017 00:33:19 UTC
The main invariant we are trying to protect here is that if you load something with credentials that has `Access-Control-Allow-Origin: *` due to navigation or some such, that response does not end up reused by a `fetch()` for the same URL without credentials (because then the CORS check would suddenly pass while it should not). If the user has multiple identities they are better off using something like https://blog.mozilla.org/tanvi/2016/06/16/contextual-identities-on-the-web/ I think, although offering servers more tools to more cleanly separate identities seems like a useful endeavor as well, but I think that's somewhat separate from this distinction here, which mainly follows from CORS. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/307#issuecomment-282903141
Received on Tuesday, 28 February 2017 00:33:19 UTC