Re: [imports] credentials flag bits need to be updated to current fetch terminology

I encountered a pre-release site that uses credentials to protect it from
public.
Imports in that site failed to load because the UA didn't send credentials.
The current behavior solved this problem.

There are a couple of options that I didn't take:

- Always send credentials: We clearly shouldn't do this as the same reason
why XHR doesn't this.

- Introduce @crossorigin attribute: This seemed plausible, but I worried
that this can be just redundant and hurts brevity
  if the credential-protected sites are the mainstream.
  Once a popular FAQ site recommends to put it all the time, that would
become bad news.

Then send-only-same-origin looked promising way to go.
I think following XHR behavior makes sense because it is well understood as
it's been there for a long time and both imports and XHR load documents.
I'm not super confident about this though.


On Sun, Jul 27, 2014 at 4:18 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jul 22, 2014 at 12:36 AM, Hajime Morrita <morrita@google.com>
> wrote:
> > It behaved like that before. I changed it to current one so that it works
> > with credential-protected in-house or staged apps.
>
> You'll need to elaborate a bit, I'm not sure I understand. In any
> event, I think XMLHttpRequest's default behavior of only sending
> credentials same-origin is somewhat confusing. If we only offer one
> mode for rel=import we should either always include credentials (and
> thus require more complicated CORS headers) or never.
>


>
>
> --
> http://annevankesteren.nl/
>



-- 
morrita

Received on Monday, 28 July 2014 22:22:19 UTC