Re: [whatwg/fetch] CORS: why is Authorization request header forcing preflight? (#770) from Dima Voytenko on 2018-06-26 (public-webapps-github@w3.org from June 2018)

From: Dima Voytenko <notifications@github.com>
Date: Tue, 26 Jun 2018 12:09:48 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/770/400429074@github.com>

My goal here is to find out if it could ever be considered by web spec to whitelist `Authorziation: Bearer ...` header as a "simple" CORS request w/o requiring preflight. I think at this point it's clear that  this will not happen. So, I'm ok with closing this issue.

I think realistically this means that this authorization header usage (as defined by https://tools.ietf.org/html/rfc6750#section-2.1) is not going to be used in web platforms, with everyone just continuing use query parameters to pass around bearer tokens. Note that the CORS requests is the whole point of OAuth2 and bearer tokens in general. Assuming the use of bearer tokens on the web would only grow given the current trends, I can only see this as a net-negative for the web, user security/privacy, etc. But perhaps it's not a huge negative and not worth challenging the status quo.

>  and so it's not clear what's missing from using other headers

That'd probably be the worst-case scenario. Someone trying to use a non-standard header for something that's so clearly defined in standards.

> It also seems that the feature request is itself because of something related to ITP specifically (although it's presented as a more general case), and because of that, there's nothing to suggest that ITP wouldn't block or restrict access to whatever methods you end up also using, if those are seen as being usable for tracking and not just authorization.

As mentioned above a few times, bearer token use cases are _not_ tracking use cases: they are obtained by a user explicitly opting into using a 3p service for some value, e.g. to access photos for printing, or completing a payment transaction, or claiming an existing authorization to view content. My point is simply that ITP would likely increase use of bearer tokens, since it will be the only stable way to support such use cases.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/770#issuecomment-400429074

Received on Tuesday, 26 June 2018 19:10:17 UTC