- From: jub0bs <notifications@github.com>
- Date: Thu, 02 Feb 2023 04:19:53 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 2 February 2023 12:20:06 UTC
While completing the test suite of [my CORS middleware library](https://pkg.go.dev/github.com/jub0bs/fcors), I ran into an interesting case. The [section entitled _CORS protocol and HTTP caches_](https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches) says the following: > However, if `Access-Control-Allow-Origin` is set to `*` or a static origin for a particular resource, then configure the server to always send `Access-Control-Allow-Origin` in responses for the resource — for non-CORS requests as well as CORS requests — and do not use `Vary`. In the case of a single static origin (not the wildcard), if the resource allows credentials, shouldn't responses to non-CORS requests also contain `Access-Control-Allow-Credentials: true`? Otherwise, a response to a non-CORS requests lacking that header could get cached, and subsequently get served by the cache in response to a credentialed request; this situation would cause the CORS check to fail. Unless I'm missing something, perhaps this consideration deserves a mention in the standard. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1601 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1601@github.com>
Received on Thursday, 2 February 2023 12:20:06 UTC