- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 04 Oct 2022 01:43:51 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1498/review/1129528368@github.com>
@annevk commented on this pull request. > @@ -1781,6 +1781,12 @@ which is "<code>omit</code>", "<code>same-origin</code>", or <dfn export for=request id=concept-request-use-url-credentials-flag>use-URL-credentials flag</dfn>. Unless stated otherwise, it is unset. +<p class=note>This flag controls whether the <a for=/>request</a>'s <a for=request>URL</a>'s +<a for=url>username</a> and <a for=url>password</a> will be used to look up an +<a>authentication entry</a> or not. Modern specifications avoid setting it, since putting +credentials in <a for=/>URLs</a> is discouraged, but some older features set it for compatibility +reasons. Yeah, this seems to match the spec, but I'm not sure it's what we want or whether it matches browsers. If you mean "(1) + (2) => no credentials" from the second list, that seems somewhat reasonable to me. Presumably that would then result in a 401 after which the URL credentials would be used, no? I think what's more surprising is that we end up using URL credentials when the UUC flag is not set. That seems like a bug of sorts. (Some user agents associate credentials with a request by serializing them in the URL, which is perhaps where some of this stems from. It's been a long time.) -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1498#discussion_r986596561 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1498/review/1129528368@github.com>
Received on Tuesday, 4 October 2022 08:44:05 UTC