Re: [whatwg/fetch] Doc: failed CORS fetch with credentials should ignore Set-Cookie response header (#855) from Anne van Kesteren on 2019-01-04 (public-webapps-github@w3.org from January 2019)

From: Anne van Kesteren <notifications@github.com>
Date: Fri, 04 Jan 2019 00:53:44 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/855/451387085@github.com>

Thank you for reporting this!

The original intent was definitely that `Set-Cookie` should not take effect. Reading the fetch algorithm however, it seems it will take an effect as the CORS check happens after cookies are handled. This might be because we added more explicit cookie handling later on and I didn't fully consider this when it happened.

I think we should ask Chrome and Firefox to change their setup and change the algorithm to enforce the original intent. And add some tests for this to web-platform-tests.

cc @whatwg/security 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/855#issuecomment-451387085

Received on Friday, 4 January 2019 08:54:05 UTC