- From: Johann Hofmann <notifications@github.com>
- Date: Wed, 12 Feb 2025 13:09:24 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1807/review/2613211957@github.com>
@johannhof commented on this pull request.
> @@ -5710,21 +5843,9 @@ run these steps:
<p>If <var>includeCredentials</var> is true, then:
<ol>
- <li>
- <p>If the user agent is not configured to block cookies for <var>httpRequest</var> (see
- <a href=https://httpwg.org/specs/rfc6265.html#privacy-considerations>section 7</a> of
- [[!COOKIES]]), then:
-
- <ol>
- <li><p>Let <var>cookies</var> be the result of running the "cookie-string" algorithm (see
- <a href=https://httpwg.org/specs/rfc6265.html#cookie>section 5.4</a> of
- [[!COOKIES]]) with the user agent's cookie store and <var>httpRequest</var>'s
- <a for=request>current URL</a>.
+ <p class=note>This permits some implementations to choose to not support cookies for some or all <var>httpRequest</var>s.
"This" here refers to the word "should" in the line below? I'm not a huge fan of that, both because it's a bit subtle and also because it doesn't account for the opposite case: All major browsers have settings / overrides that will allow cross-site cookies to be sent, so I think it would be preferable to insert a step that allows user agents to make an additional implementation defined choice about whether to include cookies or not. It might have to live in the `append a request Cookie header` algorithm.
Obviously this should be reserved for truly implementation-specific settings and anything else should be standardized here.
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1807#pullrequestreview-2613211957
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/fetch/pull/1807/review/2613211957@github.com>
Received on Wednesday, 12 February 2025 21:09:28 UTC