Re: [whatwg/fetch] Doc: failed CORS fetch with credentials should ignore Set-Cookie response header (#855) from Mike West on 2019-01-04 (public-webapps-github@w3.org from January 2019)

From: Mike West <notifications@github.com>
Date: Fri, 04 Jan 2019 01:17:35 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/855/451392008@github.com>

I don't mind changing this in theory, but it will be practically difficult to implement in Chrome given our current layering. Cookies are currently handled way down in the bowels of the network stack, before handing off to CORS-aware bits of the system: reversing that ordering would be a good deal of work.

It surprises me a bit that Safari behaves differently, given that it similarly delegates cookie handling to the network stack. Is it possible Safari's third-party cookie blocking mechanisms, and not their CORS handling, were responsible for ignoring the `set-cookie` header in your test @Osintopsec?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/855#issuecomment-451392008

Received on Friday, 4 January 2019 09:17:57 UTC