- From: Nick Harper <notifications@github.com>
- Date: Mon, 07 May 2018 17:03:08 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 8 May 2018 00:04:14 UTC
The only thing left on my list of comments is what to do with referredTlsConnection. I don't like the aesthetics of needing to go through the step of "obtaining a connection" (even if there most likely is already connection is in the connection pool, and a new connection isn't made), especially since it's the only other place (besides HTTP-network fetch) that calls that step. However, I'll defer judgement of this to those who know the Fetch spec better than I. On the previous PR, there was a conversation about whether Token Binding should be mentioned in section 2 (Infrastructure) with the definition of Credentials, which I don't think reached a conclusion. I am of the opinion that a Sec-Token-Binding header should be treated as a credential (both in the CORS withCredentials context and in a third-party cookie blocking context): A site could choose to set up and operate its infrastructure so that a Token Binding ID is the only information stored on the client for the client's identity (and the Token Binding ID serves as a key into a server-side session state table). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/715#issuecomment-387242819
Received on Tuesday, 8 May 2018 00:04:14 UTC