- From: James Bromwell <notifications@github.com>
- Date: Fri, 12 Jun 2026 09:58:49 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 12 June 2026 16:58:53 UTC
thw0rted left a comment (whatwg/fetch#869) You're right that I'm not a domain expert in your area, but it does sound like in your bullet list a lot of the cases do not have a browser on the client side of the connection -- we're talking about browser `fetch` preflight behavior here, right? I must also admit a lot of my work with mTLS was before pervasive http/2 support where you'd establish one long-lived TLS connection. Without h2 you're making new connections frequently, and if they're all mTLS protected, you're hitting the client cert private key on every one. But a lot of us don't have control over the entire network between client and server, h2 might still not be well supported end to end, and if you fall back to an earlier protocol you're back at the constant re-auth problem, at which point cookie-based sessions (at a higher layer) start looking pretty good. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-4693397446 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/869/4693397446@github.com>
Received on Friday, 12 June 2026 16:58:53 UTC