- From: Alexia Death <notifications@github.com>
- Date: Thu, 11 Jun 2026 11:46:32 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/869/4683859103@github.com>
alexiade left a comment (whatwg/fetch#869) @mikkorantalainen it is NOT most secure. It basically makes bilateral TLS unusable in sites that need CORS preflight from another user certifcate using site reducing securty in favor of an entierly immaginary privacy concern. Here's a little summary why... The mechanism, as I understand it: the preflight (OPTIONS) must be sent without credentials, and the spec includes the TLS client certificate in that set. To comply, a server can't require a client certificate at connection establishment — if it did, the preflight itself couldn't complete. So the server is pushed toward making the certificate optional at the TLS layer (request it, but accept the handshake without it) and rejecting unauthenticated requests afterward at the application layer. The problem is that "client cert optional at connection level" is the exact property I'm trying to avoid. The whole point of mTLS for me is that unauthenticated requests never reach the application at all. Making the certificate optional reopens that door, and at least in Firefox the practical outcome is that once a preflight can succeed without a certificate, subsequent requests are treated as if operating without one too — so the transport-level guarantee mTLS was meant to provide effectively disappears. On the privacy rationale: TLS client authentication is a transport-layer mechanism that already has a clean opt-out path. A client can decline to present a certificate, and the server decides whether to proceed or refuse the connection. It's not obvious to me what additional privacy exposure is introduced by presenting (or not presenting) a certificate during preflight that isn't already governed by the TLS layer itself. If there's a concrete privacy threat model I'm missing here, I'd genuinely appreciate a pointer, because from where I sit the perceived risk seems marginal relative to the cost — which is making a standard, well-understood transport-security mechanism hard to combine with CORS at all. My ask: would the WG consider reconsidering whether TLS client certificates belong in the set of credentials excluded from preflight — or, failing that, documenting a recommended pattern for safely using mTLS alongside CORS that doesn't require weakening connection-level authentication? Yea, I can configure my server to allow certless OPTIONS. In fact I did. Firefox took that as permission to NOT send the client cert at all and fell flat on its face when the POST got a 400 for not sending the cert. Please... Pretty please... Do not break transport security. Disclamer: AI was used to remove swearwords after spending a day trying to get it to work and finding there is NO solution other than configuring FF to work like Chrome. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-4683859103 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/869/4683859103@github.com>
Received on Thursday, 11 June 2026 18:46:36 UTC