- From: Tom Schuster <notifications@github.com>
- Date: Fri, 24 Jun 2022 04:48:35 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1463@github.com>
#1022 We need to send the Origin header for same-origin CORS requests even with no-referrer. This is the current behavior of all browsers (https://wpt.fyi/results/fetch/origin/assorted.window.html?label=master&label=experimental&aligned) and not doing so [breaks the web](https://bugzilla.mozilla.org/show_bug.cgi?id=1775235).
- [ ] At least two implementers are interested (and none opposed):
* Firefox is interested
* Existing behavior in Safari and Chrome (which diverges further)
- [ ] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
* fetch/origin/assorted.window.html needs to be updated ("Origin header and POST same-origin fetch cors mode with Referrer-Policy no-referrer")
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
* Chrome: Existing behavior
* Firefox: (Re)-Implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=1775235
* Safari: Existing behavior
* Deno (not for CORS changes): …
(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
You can view, comment on, or merge this pull request online at:
https://github.com/whatwg/fetch/pull/1463
-- Commit Summary --
* Always send Origin header for (non HEAD/GET) CORS requests
-- File Changes --
M fetch.bs (2)
-- Patch Links --
https://github.com/whatwg/fetch/pull/1463.patch
https://github.com/whatwg/fetch/pull/1463.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1463
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/fetch/pull/1463@github.com>
Received on Friday, 24 June 2022 11:48:48 UTC