- From: Dominic Farolino <notifications@github.com>
- Date: Tue, 26 Sep 2023 08:11:27 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 26 September 2023 15:11:32 UTC
I'm not sure. The motivation for this was some discussion around FedCM fetch requests, of which there are two interesting ones: 1. The accounts list fetch 2. The ID assertion fetch We [agreed that the ID assertion fetch can use CORS](https://github.com/fedidcg/FedCM/issues/428#issuecomment-1729629625) and can piggyback off of the cookie layering work to send SameSite=None cookies. But the accounts list fetch I think is still somewhat unsolved. That either has to: 1. Use something like unsafe-no-cors, which will get around ORB blocking of a cross-origin no-cors JSON request/response 2. Or hack around this by manually changing the initiator of the request to be same-origin with the resource, so ORB _won't_ block it. Maybe this can be justified because the request is "browser-mediated", but maybe not. I think we probably need to discuss this more. I'll re-open until we discuss the accounts fetch solution more, if that's alright. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1533#issuecomment-1735743318 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1533/c1735743318@github.com>
Received on Tuesday, 26 September 2023 15:11:32 UTC