- From: Travis Leithead <notifications@github.com>
- Date: Thu, 28 Sep 2017 05:07:55 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 28 September 2017 12:08:17 UTC
(pasting in my sketch--it was helpful to me anyway...)  @dbaron will write the summary/details from today's meeting, but for my own understanding: Public "de-auth" * signal to automatically retry the request without credentials (rather than error out) when a request fails for a public resource because credentials were sent. * a convenience for clients so they don't have to manually re-try the request without credentials when credentials were sent (also means the client can effectively ignore the with-credentials flag when trying to access public resources) * requires another round-trip (yet this commonly(?) done anyway by clients) * reduces one case of the network error condition * should not introduce new security attack surface "Public auth" * a convenience for the server to stop auto-echoing the origin back, for truly public resources * better than crossdomain.xml because it's per resource, not per orgin. There's something about how public de-auth can avoid the second round trip, but I didn't quite follow that part :-) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/76#issuecomment-332816398
Received on Thursday, 28 September 2017 12:08:17 UTC