- From: Erik Seglem <notifications@github.com>
- Date: Thu, 03 Jun 2021 04:47:31 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/869/853808174@github.com>
The original post in this thread seems to specifically call out the behavior I am discussing as invalid. Considering this a bug in Firefox does not seem to align with my reading of the rest of the thread. That is why I asked for clarification. If that is the case I can certainly work on filing a bug for it, but it will take me a bit to make a good standalone example. I could be missing something but nothing in the thread seems to discuss the security implications from a server's perspective of responding to an `OPTIONS` request without having mutually authenticated that client making that request. There is debate about the safety of the `OPTIONS` request and the safety of including credentials from the client side. I was trying to add my perspective to that debate. And from my perspective an `OPTIONS` request is no riskier than a `GET` for the client and I can require mutual authentication for that `GET` but not for the `OPTIONS` request. As a server, this seems like legitimate security concern to me. I would rather not respond to any request without mutual authentication, but the spec does not seem to allow that. The only way to do that is drop Firefox support and utilize a bug in Chrome, which is certainly not something we should be relying on. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-853808174
Received on Thursday, 3 June 2021 11:48:27 UTC