- From: Mike West <notifications@github.com>
- Date: Wed, 07 Nov 2018 04:56:42 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 7 November 2018 12:57:05 UTC
> Well, it could be that if requested without credentials the server closes the connection and `Access-Control-Allow-Origin: *` was mostly set in error when requested with credentials. We don't really know. Yup. And in that case, the developer would make another non-credentialed request, see it fail, and be sad. That's an ergonomic failure, but doesn't seem like a security risk to be concerned about. I'm not saying this is the best idea ever or that it will always succeed. I'm saying that I don't see a substantial security risk to revealing to the developer that they would have been able to access the response they just got if they hadn't sent credentials along with the request, and giving them the opportunity to write their own retry logic. That seems fine? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/517#issuecomment-436614091
Received on Wednesday, 7 November 2018 12:57:05 UTC