- From: Rich Y <notifications@github.com>
- Date: Thu, 13 May 2021 08:00:58 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 13 May 2021 15:01:10 UTC
https://fetch.spec.whatwg.org/#credentials: > Credentials are HTTP cookies, TLS client certificates, and authentication entries (for HTTP authentication). [COOKIES] [TLS] [HTTP-AUTH] The [HTTP-AUTH] reference defines a number of header fields that could be encompassed by the term 'credentials': `WWW-Authenticate`, `Authorization`, `Proxy-Authenticate`, and `Proxy-Authorization`. Therefore it seems like any use of the term 'credentials' in the spec would be expected to encompass certain specific headers. Truly custom headers as pointed out by @ptoomey3 would not be treated as credentials in any case, and security concerns aside would at least be far less likely cause a collision of authentication methods at the redirection target, by virtue of being somewhat namespaced. If the intention behind the implementation of fetch is that the handling of credentials only applies to when these are automatically populated by the browser (e.g. cookies), then I feel this should be explicit. However it does leave a gap/bug in the implementation for being able to handle the above use-case. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/944#issuecomment-840620335
Received on Thursday, 13 May 2021 15:01:10 UTC