- From: Osintopsec <notifications@github.com>
- Date: Thu, 03 Jan 2019 16:05:51 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/855@github.com>
The docs example at https://fetch.spec.whatwg.org/commit-snapshots/c6b3a750f811cb4f628def0313ac317d9dcec88a/#example-cors-with-credentials states that:
"If the response does not include those two headers with those values, the failure callback will be invoked and any `Set-Cookie` response headers will end up being ignored."
Tested the example on OS X with:
```
Chrome Version 71.0.3578.98 (Official Build) (64-bit)
Firefox Version 64.0 (64-bit)
Safari Version 12.0.2 (14606.3.4)
```
and with:
```
fetch("https://abc.xyz/cors-testing/cors", {credentials: "include"});
fetch("https://abc.xyz/cors-testing/cors", {credentials: "include", method: "POST"});
```
and found inconsistency on the way the spec is implemented on the browsers. When a simple (GET, POST, no special request headers) CORS request with credentials (cookies) fails due to not receiving any CORS headers from the server, Chrome and Firefox go ahead and accept the Set-Cookie response header from the server and sets the cookie to the browser. At the same time Safari ignores the Set-Cookie response header and does not set the cookie.
My question is: which way it should be? On a failing simple request, should the Set-Cookie response header be accepted or should it be ignored by the browser?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/855
Received on Friday, 4 January 2019 00:06:13 UTC