- From: vanupam <notifications@github.com>
- Date: Thu, 11 May 2017 10:57:46 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/325/review/37653680@github.com>
vanupam commented on this pull request. > @@ -966,6 +992,41 @@ for other values. If <cite>HTML</cite> changes here, this standard will need cor Unless stated otherwise, it is unset. <p>A <a for=/>request</a> has an associated +<dfn export for=request id=concept-request-use-token-binding>use-token-binding flag</dfn>. +Unless stated otherwise, it is unset. + +<p class="note no-backref"><a for=/>Request</a>'s <a for=request>use-token-binding flag</a> +controls whether the user agent will send the <a for=/>token binding ID</a> for the +<a for=request>origin</a> of the <a for=/>request</a>'s url when it transmits the +<a for=/>request</a> to the server. The <a for=/>token binding ID</a> can be used by the server to, +e.g., bind HTTP cookies or OAuth tokens that it issues to the user agent. + +<p>A <a for=/>request</a> has an associated +<dfn export for=request id=concept-request-use-referred-token-binding>use-referred-token-binding flag</dfn>. We did consider that - and chose to go this way. In the not-too-distant future, we propose to add a "use-referred-token-binding" flag to XHR, (and a corresponding HTML attribute to links/forms). We don't want to give new APIs a way of setting the referring origin - we want it to be limited to the real referring origin. Reasonable? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/325#discussion_r116060273
Received on Thursday, 11 May 2017 17:58:23 UTC