Re: [whatwg/fetch] Specify the behavior of `COEP: credentialless`, (#1229) from Yutaka Hirano on 2021-06-10 (public-webapps-github@w3.org from June 2021)

From: Yutaka Hirano <notifications@github.com>
Date: Thu, 10 Jun 2021 03:06:20 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1229/c858492100@github.com>

> However the second origin should continue to be the client's origin. For instance, in the base case of a cross-origin no-cors request with no redirects, credentials must not be included. So the comparison is in between the client's origin and the request's current URL.

Sorry, can you give me an example? request's origin and request's client's origin are usually the same, but other checks such as [CORS](https://fetch.spec.whatwg.org/#cors-check) use request's origin, so I want to understand why in this case we need to use the client's origin. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1229#issuecomment-858492100

Received on Thursday, 10 June 2021 10:07:17 UTC