Re: [whatwg/fetch] Explain the use-URL-credentials flag (PR #1498) from Anne van Kesteren on 2022-09-30 (public-webapps-github@w3.org from September 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Fri, 30 Sep 2022 10:05:59 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1498/review/1127121911@github.com>

@annevk commented on this pull request.



> @@ -1781,6 +1781,12 @@ which is "<code>omit</code>", "<code>same-origin</code>", or
 <dfn export for=request id=concept-request-use-url-credentials-flag>use-URL-credentials flag</dfn>.
 Unless stated otherwise, it is unset.
 
+<p class=note>This flag controls whether the <a for=/>request</a>'s <a for=request>URL</a>'s
+<a for=url>username</a> and <a for=url>password</a> will be used to look up an
+<a>authentication entry</a> or not. Modern specifications avoid setting it, since putting
+credentials in <a for=/>URLs</a> is discouraged, but some older features set it for compatibility
+reasons.

This is incorrect. If this flag is true and URL contains username/password, we'll use the URL's username/password instead of the authentication entry (which is stored in a side table).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1498#pullrequestreview-1127121911
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1498/review/1127121911@github.com>

Received on Friday, 30 September 2022 17:06:11 UTC