Re: [whatwg/fetch] CORS: why is Authorization request header forcing preflight? (#770) from Dima Voytenko on 2018-06-22 (public-webapps-github@w3.org from June 2018)

From: Dima Voytenko <notifications@github.com>
Date: Fri, 22 Jun 2018 10:26:06 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/770/399518299@github.com>

Yes, will certainly get a lot better with origin policy. In the meantime, I believe, the current state with tokens being sent as query parameters is primarily motivated by simplicity rather than latency. But latency likely plays a role as well. Anecdotally, asking around why we (my org) not sending access_token in the `Authorization` header, I'm hearing "didn't want to deal with preflight". That seems like questionable but understandable tradeoff. But I'm not sure a web platform benefits overall.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/770#issuecomment-399518299

Received on Friday, 22 June 2018 17:26:29 UTC