- From: eyeinsky <notifications@github.com>
- Date: Sun, 28 Feb 2021 08:29:11 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/869/787478911@github.com>
> If you’re able to cause a prompt here, that’s a bug. I’ll try to reproduce in Chrome and see about fixing, if so, because that shouldn’t happen. Are you sure? If I do a fetch with `GET` and include credentials then credentials should be included. The prompt is OK because similar to `OPTIONS`, a `GET` doesn't cause a state change. > We don’t send credentials in preflights in preflights to ensure they’re not misinterpreted as “missiles will be fired”. Again, `OPTIONS` is similar to `GET` in this regard. > It does sound like there’s no dispute that the client auth should continue to be considered credentials though, which is certainly essential for security, and that the only concern is including it in preflights so servers can force authentication at the transport layer. Is that right? Well, silently I considered making another issue for including all credentials with preflights (not just the TLS client certificates, but the ones in HTTP headers too). Because an `OPTIONS` request *is* a safe HTTP verb, and if the server allows credentialed cross-origin requests anyway (by replying positively to the preflight), then I don't see, what the security benefit of not sending credentials in the preflight would be. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-787478911
Received on Sunday, 28 February 2021 16:29:23 UTC