Re: [whatwg/fetch] Clarification on CORS preflight fetches for TLS client certificates (#869) from James Bromwell on 2026-06-12 (public-webapps-github@w3.org from June 2026)

From: James Bromwell <notifications@github.com>
Date: Fri, 12 Jun 2026 13:47:40 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/869/4695323405@github.com>

thw0rted left a comment (whatwg/fetch#869)

I haven't used gRPC and certainly can't claim to be an expert.  It does seem striking that most of the initial search results I get for "grpc in browser" say something like the opening sentence of [this .NET doc page](https://learn.microsoft.com/en-us/aspnet/core/grpc/browser?view=aspnetcore-10.0):

> It's not possible to directly call a gRPC service from a browser

Again, I'm assuming you're the expert; if direct connection to gRPC endpoints from the browser makes sense architecturally, maybe others have written about that and I'm just failing to find it.

As far as

> Are you trying to argue that bowsers will not in fact support using mTLS as transport layer security, as what it IS?

Yeah, basically that's it -- you think mTLS is only for "transport layer security", and I am arguing that it is also useful as (exclusively) a secure method of proving client identity to an application.  That's the fundamental disconnect here, as you say the CORS spec lumps mTLS in with "credentials", which as you point out negates the ability to use it as transport layer security.  I don't work for WHATWG but I understand and *agree* with the user agent security model they have designed.  Fundamentally I disagree that "the whole point of TLS is MitM protection" -- (unidirectional) TLS authenticates the endpoint to which the client has connected.  MITM is possible if you trust a root CA that issues an impersonation certificate to the "middle" party.  ***This is by design***.  There are tradeoffs between competing interests of the company (preventing loss of sensitive data) and the end user (preventing theft of sensitive data by a rouge sysadmin).  If you don't want your company to break and inspect, then don't trust their CA -- or more likely, stop trying to do your personal stuff on company equipment.  (Also: if as an application owner you want a one-off exception from the MITM-able trust model, that's what cert pinning and HSTS are for.)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/869#issuecomment-4695323405
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/869/4695323405@github.com>

Received on Friday, 12 June 2026 20:47:45 UTC