- From: Alexia Death <notifications@github.com>
- Date: Fri, 12 Jun 2026 14:04:46 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 12 June 2026 21:04:50 UTC
alexiade left a comment (whatwg/fetch#869) Native gRPC, no — browsers can't speak the HTTP/2 trailer framing. But browsers call gRPC services every day via gRPC-Web and Connect (official projects), which run over fetch and are therefore subject to CORS preflight. That's not a side note — it's exactly why this issue bites: the browser-facing gRPC transport is a fetch client, it preflights, and the mTLS edge it connects to is where the certless-preflight rule breaks it. The fact that it's gRPC-Web rather than native gRPC is the reason CORS is even in the picture. As to the rest of your argumentation about TLS not being primarily about MitM protection .... go find your infosec guy and ask him. He's going to laugh himself hoarse. As a SERVICE PROVIDER I have a right to decide if someone can intercept my traffic or not. mTLS is the mechanism that I can use to say no. You are saying that as a service provider I am not entitled to that on the web? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-4695451524 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/869/4695451524@github.com>
Received on Friday, 12 June 2026 21:04:50 UTC