Re: [whatwg/fetch] Explain the use-URL-credentials flag (PR #1498)

@domenic commented on this pull request.



> @@ -1781,6 +1781,12 @@ which is "<code>omit</code>", "<code>same-origin</code>", or
 <dfn export for=request id=concept-request-use-url-credentials-flag>use-URL-credentials flag</dfn>.
 Unless stated otherwise, it is unset.
 
+<p class=note>This flag controls whether the <a for=/>request</a>'s <a for=request>URL</a>'s
+<a for=url>username</a> and <a for=url>password</a> will be used to look up an
+<a>authentication entry</a> or not. Modern specifications avoid setting it, since putting
+credentials in <a for=/>URLs</a> is discouraged, but some older features set it for compatibility
+reasons.

Eek, OK, I think I understand the relevant conditionals now. So let me break it down to make sure.

There are three input conditions which interact with the UUC flag:

1. authentication entry exists in the side table
2. URL includes credentials
3. isAuthenticationFetch is true, i.e., are we doing a second fetch after a 401 with WWW-Authenticate

If the UUC flag is not set, then:

- (1) + (2) + (3) => use side table
- (1) + (2) => use side table
- (1) + (3) => use side table
- (2) + (3) => use credentials from the URL
- (1) => use side table
- (2) => use credentials from the URL
- (3) => no credentials

If the UUC flag is set, then:

- (1) + (2) + (3) => **use credentials from the URL**
- (1) + (2) => **no credentials**
- (1) + (3) => use side table
- (2) + (3) => use credentials from the URL
- (1) => use side table
- (2) => no credentials
- (3) => no credentials

Does this seem right? The (1) + (2) case is particularly a bit surprising of a change.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1498#discussion_r985369200
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1498/review/1127783130@github.com>

Received on Monday, 3 October 2022 04:19:26 UTC