- From: Michael[tm] Smith <notifications@github.com>
- Date: Tue, 16 Feb 2021 02:41:02 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1170@github.com>
This change clarifies a (non-normative) statement that "cors" request
mode is what makes a request into a cors request. In fact, for requests
with "cors" request mode, "cors" response tainting is also necessary in
order for the request to be considered a cors request. So this change
refines the relevant statement to make that clear.
Otherwise, without this change, considering the case of a same-origin
GET request whose mode is "cors", the spec is claiming that same-origin
GET request is a cors request.
But because the spec defines a "cors request" as “an HTTP request that
includes an `Origin` header”, a same-origin GET request cannot in fact
be a cors request — because it doesn’t include an `Origin` header. (And
that’s because for GET requests, the spec requires an `Origin` header to
be appended only if the request’s response tainting is "cors"; but for
same-origin requests, the request’s response tainting will be "basic".)
You can view, comment on, or merge this pull request online at:
https://github.com/whatwg/fetch/pull/1170
-- Commit Summary --
* Clarify cors requests need cors response tainting
-- File Changes --
M fetch.bs (3)
-- Patch Links --
https://github.com/whatwg/fetch/pull/1170.patch
https://github.com/whatwg/fetch/pull/1170.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1170
Received on Tuesday, 16 February 2021 10:41:14 UTC