- From: Yves Lafon <notifications@github.com>
- Date: Mon, 15 May 2017 02:51:33 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 15 May 2017 09:52:08 UTC
So the main issue is to allow access to a public resource without having the a-priori knowledge of the value of `withCredentials` (i.e.: relying on the URL and not on URL+context). It is of course possible to always echo back the Origin, but it won't solve the issue that the introduction of '*' allowed, which is disallowing access to some protected resources. (Note that echoing back Origin in ACAO is a common solution given to people complaining that '*' doesn't work). The introduction of "*public-deauth*" which is setting withCredentials to false regardless of what the user set is a way to declare a resource fully public without needing to know the context. The second part of the proposal (renaming '*' to something more explicit) is not linked, but would be a good clarification. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/517#issuecomment-301429244
Received on Monday, 15 May 2017 09:52:08 UTC