Re: [whatwg/fetch] Make Cors requests not take Referrer-Policy into account (#1013) from Anne van Kesteren on 2020-03-31 (public-webapps-github@w3.org from March 2020)

From: Anne van Kesteren <notifications@github.com>
Date: Tue, 31 Mar 2020 06:26:59 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1013/c606626171@github.com>

Sorry, I don't have it all paged in. Looking more closely at `fetch/origin/assorted.window.js` and results in browsers it seems that they mostly _do_ include the `Origin` header for same-origin "cors" requests, despite the specification suggesting the opposite. Unfortunately it doesn't test non-POST methods as extensively. It would be good to have it confirmed that a same-origin "cors" request with method GET also includes the `Origin` header at all times. If that's the case I think we should move forward with this PR as-is.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1013#issuecomment-606626171

Received on Tuesday, 31 March 2020 13:27:12 UTC