- From: sleevi <notifications@github.com>
- Date: Sun, 28 Feb 2021 08:16:55 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/869/787477117@github.com>
> * the preflight can be worked around by in all fetch'es replacing all `PUT`s with content-type `application/json` to `POST`s with content-type `text/plain` to get the certificate prompt and to pass the data through, but this is unaesthetic --- why doesn't the spec allow me to do things correctly? If you’re able to cause a prompt here, that’s a bug. I’ll try to reproduce in Chrome and see about fixing, if so, because that shouldn’t happen. > * since a preflight is HTTP `OPTIONS` request then it doesn't cause change in server state, thus it should be safe to use with credentials included (the "missiles will be fired" in the main request _if-and-only-if_ the response to the preflight allowed us to do so) We don’t send credentials in preflights in preflights to ensure they’re not misinterpreted as “missiles will be fired”. I understand and am aware that the core of the concern seems to be that because of the current preflight behavior, it means that if you’re serving TLS to a browser, you cannot rely on *mandating* transport level authentication, and must leave it optional, dealing with it at a *request* level (authenticating individual requests for resources). Setting aside all the other problematic aspects of mTLS (e.g. prompting, renegotiation, rejection for inadequate security), the current behavior preserves HTTP semantics and aligns with the HTTP authentication model. Moving to enable pure transport auth, which is what enabling it for preflights would do, moves away from those semantics, from other auth methods, and from all of the efforts to improve the mTLS experience (such as the aforementioned spec efforts). It does sound like there’s no dispute that the client auth should continue to be considered credentials though, which is certainly essential for security, and that the only concern is including it in preflights so servers can force authentication at the transport layer. Is that right? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-787477117
Received on Sunday, 28 February 2021 16:17:08 UTC