Re: [whatwg/fetch] CORS: why is Authorization request header forcing preflight? (#770) from sleevi on 2018-06-26 (public-webapps-github@w3.org from June 2018)

From: sleevi <notifications@github.com>
Date: Mon, 25 Jun 2018 19:08:02 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/770/400153895@github.com>

Sure, but it sounds like the OAuth2 spec is not considering how the Web
Security model works. You have alternatives, as noted, and it remains
unclear to me why the preflight is somehow fatal.

The comparison to Cookie is apt - browsers restrict how that access is
granted even moreso. It is not clear to me why, given the alternatives that
exist, Authorization is somehow essential. Is there something missing here?
For example, if it is not to work around ITP, why bring up ITP at all?


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/770#issuecomment-400153895

Received on Tuesday, 26 June 2018 02:08:24 UTC