- From: Alexia Death <notifications@github.com>
- Date: Thu, 11 Jun 2026 12:40:21 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/869/4684285697@github.com>
alexiade left a comment (whatwg/fetch#869) The cleanest way to put the whole thing: mTLS gives you transport authentication (only cert-holders get a connection). The preflight-credential rule exists to protect intent (anti-CSRF). Those are different properties. The rule was designed for per-request credentials where stripping is free; applied to a connection-level credential it can only be satisfied by sacrificing the authentication property to nominally defend an intent property that's already defended. The cost far exceeds the benefits and straight up breaks mTLS. And the privacy concern is a joke, because public keys are... Public. Client certs are issued by default from single purpose CA-s and its up to issuer to decide what metadata, if any they carry. That metadata too is considered public. They need next to none or can be completely bogus if the issuer is worried about somebody reading the cert metadata. Again - the risk its trying to mitigate is far less and can be mitigated elsewhere and the cost is destroying the whole bilateral transport security. Baby went out with the bath water again... -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-4684285697 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/869/4684285697@github.com>
Received on Thursday, 11 June 2026 19:40:25 UTC