- From: Ryan Sleevi <notifications@github.com>
- Date: Tue, 03 Aug 2021 07:19:53 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 3 August 2021 14:20:05 UTC
As @annevk surmised, I do think this is dangerous, because this is not compatible with intermediary caches, because “credentialless” is not a network-observable explicit property. This creates the risk of browsers introducing special (“magic”) behaviour that varies from how other HTTP caches perform. That was the discussion with @mnot in https://github.com/whatwg/fetch/issues/307 I’m not opposed to finding a way we can specify the behaviour desired in a way that intermediary caches can respect, but I do believe there is real danger here to interoperability if we start keying browser caches in ways that intermediaries cannot respect, and expecting there to be a security difference. Am I wrong for thinking that? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1253#issuecomment-891887304
Received on Tuesday, 3 August 2021 14:20:05 UTC