[whatwg/fetch] CORS: why is Authorization request header forcing preflight? (#770) from Dima Voytenko on 2018-06-21 (public-webapps-github@w3.org from June 2018)

From: Dima Voytenko <notifications@github.com>
Date: Thu, 21 Jun 2018 10:31:33 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/770@github.com>

(Not sure if this is the right forum, but https://www.w3.org/TR/cors/ doesn't provide a github link)

Some types of `Authorization` header are some of the key tools for cross-site communication. However, this header is not considered "simple" and forces the preflight. This forces lots of odd workarounds, mostly by including the credentials/tokens in URL parameters or POST body. That makes it harder to standardize around.

Would you ever consider removing preflight requirement from `Authorization` header? Perhaps this could be done safely enough by blacklisting some types of prefixes, e.g. "Basic" or whitelisting others such as "Bearer" or "JWT"? Or we could come up with another required prefix, e.g. "CORS ..."?


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/770

Received on Thursday, 21 June 2018 17:31:55 UTC