- From: eyeinsky <notifications@github.com>
- Date: Sun, 28 Feb 2021 08:02:46 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/869/787474764@github.com>
>> But what I think is most important is will this change make security worse? > > Yes. It deliberately introduces ambient auth for a channel/transport based auth method, which we have two decades of experience from NTLM/Kerberos to know this causes a host of security issues. This ambient auth through client certificates is already here and functioning in all browser, but this is not the issue at hand. What we are talking about is if *sending a certificate during the preflight* will make security worse (as in the spec this is cited as the reason for not including them in the preflight in the first place). Again: - the preflight can be worked around by in all fetch'es replacing all `PUT`s with content-type `application/json` to `POST`s with content-type `text/plain` to get the certificate prompt and to pass the data through, but this is unaesthetic --- why doesn't the spec allow me to do things correctly? - since a preflight is HTTP `OPTIONS` request then it doesn't cause change in server state, thus it should be safe to use with credentials included (the "missiles will be fired" in the main request *if-and-only-if* the response to the preflight allowed us to do so) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-787474764
Received on Sunday, 28 February 2021 16:02:58 UTC