- From: Nikolas Grottendieck <notifications@github.com>
- Date: Fri, 12 Jun 2026 15:32:25 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 12 June 2026 22:32:29 UTC
Okeanos left a comment (whatwg/fetch#869) Putting gRPC as a particular example aside: my previous comment was not in jest. We scrapped mTLS for internal HTTP based web applications at enterprise scale because: > We are talking about how the browser breaks mTLS in its default, common, industry standard use because of this glaring categorization error that categorizes public key and certificate as credentials. We simply could not make it work either because requiring mTLS would break CORS across the board – something that doesn't really fly with modern SPAs, cross-domain HTTP-base communication etc. Putting the burden of mTLS handling onto the actual backend services instead of being able to do it at the network layer in the edge routers that handle TLS already does not scale (at least it didn't for us). Specifically, it would have weakened the overall setup in ways that made it mostly useless to us so we stopped bothering. Again because: > The whole point of mTLS for me is that unauthenticated requests never reach the application at all. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-4695955947 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/869/4695955947@github.com>
Received on Friday, 12 June 2026 22:32:29 UTC