- From: Mike West <notifications@github.com>
- Date: Mon, 15 May 2017 03:28:03 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/517/301437046@github.com>
1. For `public-deauth`, I'm with @annevk. The server only gets a chance to send a header of any sort after the client has already sent a request, so `public-deauth*` can't set `withCredentials`; it's already been set and evaluated. That is, given `fetch("https://example.com/endpoint/", { credentials: "include" })`, credentials will be sent along with the request to `https://example.com/endpoint/` regardless of what it responds.
Are you asking for something more involved, like `public-deauth` causing the client to retry the request without credentials?
2. From the [linked minutes](https://pad.w3ctag.org/p/2017-02-08-minutes.md), it sounds like `public-auth` is what folks on the TAG really want. I recognize that some folks are doing this manually by reflecting the `Origin` header. Still, `crossdomain.xml` seems to prove that a sizable subset of developers didn't understand the implications of opening up credentialed access to responses. I don't think it's out of the question to add as a resource-specific opt-in, but I'd be a bit worried about folks setting this without auditing the endpoints first to ensure they weren't doing anything terribly risky (especially in the context of https://wicg.github.io/origin-policy/).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/517#issuecomment-301437046
Received on Monday, 15 May 2017 10:28:36 UTC