- From: Yves Lafon <notifications@github.com>
- Date: Mon, 27 Mar 2017 01:57:37 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/517@github.com>
This is a followup of [TAG issue 76](https://github.com/w3ctag/spec-reviews/issues/76) with a proposal to address the issue, as discussed during the last [TAG meeting](https://pad.w3ctag.org/p/2017-02-08-minutes.md). One solution could be to alias the "\*" value of Access-Control-Allow-Origin: to something more explicit, like "\***public-noauth**\*" (and link to the explanation behind the design decision behind "\*", see #206 ), this makes the intent more clear. "\*" can be later deprecated if needed. Then add new value(s) for ACAO: - "\***public-deauth\***" (name up to bikeshedding) that would mandate the Request credential mode to always be "omit". Having that value would solve the issue of being dependent of a context while calling fetch(), so solving [TAG issue 76](https://github.com/w3ctag/spec-reviews/issues/76) by letting the server decide of the nature of the interaction and not depend only on user context. - "\***public-auth\***" could potentially be added to avoid the common recipe of blindly echoing back the Origin, if added, this should be labelled as "Footgun", but with proper explanations, the situation might be different than when the original choice of forbidding auth for a static server was made (but if not, it is entirely fine to not add it). Cc: @mikewest -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/517
Received on Monday, 27 March 2017 08:58:09 UTC