Re: [whatwg/fetch] Discussion: the term for non-preflighted request ("simple request") (Issue #1824) from Uku Sõrmus on 2025-05-17 (public-webapps-github@w3.org from May 2025)

From: Uku Sõrmus <notifications@github.com>
Date: Sat, 17 May 2025 04:40:01 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1824/2888328324@github.com>

ukusormus left a comment (whatwg/fetch#1824)

@jub0bs Yes, seems like a valid summary (but I'm not sure about the conclusion). If we extend the request "type" (e.g. non-preflighted/preflighted) to any request, we can have a (mental or technical) pipeline where we first divide an incoming request into two buckets "non-preflighted" and "preflighted", and later decide (e.g., when getting the request initiator information from somewhere), is it same-origin or cross-origin. Although from this viewpoint, I would use some other terms than "non-preflighted" and "preflighted", since the "preflighted" bucket *could* then turn out to contain a "same origin" request initiator, which would make the request actually non-preflighted.

As said, this is one possible interpretation and the other (current?) interpretation could prevail that doesn't extend the request "type" to same-origin requests.

For an example counter-argument, one could say that:
- Keep it simple: there's same-origin requests with no subtypes, and for cross-origin requests & CORS, we have these two exclusive subtypes X and Y.
- You don't really *need* that reverse (mental or technical) pipeline anywhere

Could there be any reason to distinguish same-origin requests by being "simple" or "non-simple", for any reason, now or in the future?

---

OT:

> A simple request may or may not carry credentials

True, thanks for pointing out. The "always" wording was taken from an attacker's / pentester's perspective that tries to maximize any given situation for own benefit :-) It should be more along the lines of "cookies *can* always be included with a simple request in same-site scope if the attacker wants it to be", be it with `<form>`, the Fetch API or whatnot.

(was taken from [this](https://ukusormus.github.io/cookies/site-origin-cookie-scopes-visualizer/) tool I've recently put together, changed the wording slightly there)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1824#issuecomment-2888328324
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1824/2888328324@github.com>

Received on Saturday, 17 May 2025 11:40:05 UTC