Re: [whatwg/fetch] Clarification on CORS preflight fetches for TLS client certificates (#869) from Markus Läll on 2021-06-06 (public-webapps-github@w3.org from June 2021)

From: Markus Läll <notifications@github.com>
Date: Sun, 06 Jun 2021 10:42:49 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/869/855435074@github.com>

> I guess I'm not following then. `OPTIONS` is indeed done without credentials, but that doesn't mean that the actual request should fail if the server properly responded to the `OPTIONS` request.

"properly responded" in this context means dropping the certificate requirement and making them optional. Is that really *more* secure?

@eseglem In REST `OPTIONS` is as safe as a `GET` or `HEAD`, so why it they specifically forbid a certificate prompt for `OPTIONS` it isn't really clear.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/869#issuecomment-855435074

Received on Sunday, 6 June 2021 17:43:13 UTC