Re: [whatwg/fetch] CORS: why is Authorization request header forcing preflight? (#770) from Dima Voytenko on 2018-06-26 (public-webapps-github@w3.org from June 2018)

From: Dima Voytenko <notifications@github.com>
Date: Tue, 26 Jun 2018 18:26:49 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/770/400416111@github.com>

I'm bringing up ITP because we can reasonably anticipate that the use-cases that required proper secure access and were implemented via cookie-credentialed CORS (in other words, valid security-sensitive non-tracking use cases) would have to switch to bearer-credentialed CORS, including OAuth2. That seems to be clearly anticipated by HTTP specs in the form of "Authorization: Bearer" header. I understand, given the history, this might be losing argument, but having Web APIs essentially motivating everyone to push bearer credentials into URL query parameters seems non-ideal too.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/770#issuecomment-400416111

Received on Tuesday, 26 June 2018 18:27:15 UTC