[whatwg/fetch] Should credentialed, same-site, cross-origin requests be easier to enable? (#1226) from colinclerk on 2021-04-29 (public-webapps-github@w3.org from April 2021)

From: colinclerk <notifications@github.com>
Date: Wed, 28 Apr 2021 23:13:45 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1226@github.com>

The Fetch standards currently disallow using `Access-Control-Allow-Origin: *` with `Access-Control-Allow-Credentials: true`

This policy requires developers to take an extra step when enabling credentials on same-site but cross-origin fetch requests.  Instead of using a * wildcard, they must explicitly return the origin they are allowing.

Today, browsers are defaulting cookies to `SameSite=Lax`, which takes priority over CORS.  Even with `credentials: "include"` and CORS properly configured, a cookie set to `SameSite=Lax` won't be included with the cross-origin request.

So, I believe a case can be made that disallowing `Access-Control-Allow-Origin: *` with `Access-Control-Allow-Credentials: true` is a redundant protection.

Some potential options:
* Allow origin wildcards on credentialed requests
* Introduce an alternative wildcard that allows all SameSite requests


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1226

Received on Thursday, 29 April 2021 06:13:57 UTC