- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 22 Jan 2018 03:24:17 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 22 January 2018 11:24:38 UTC
> (Note that there is no "don't use credentials" in HTTP, like if you want cookie dropped) Isn't that entirely left up to the client implementation? HTTP also allows for a design where you only return a 200 if a secret is given in a request header or even a GET request body (which you cannot emulate in browsers). All of these would fall flat with "follow your nose". -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/76#issuecomment-359395888
Received on Monday, 22 January 2018 11:24:38 UTC