Re: [fetch-metadata] cors in Sec-Fetch-Mode from Mike West on 2020-01-08 (public-webappsec@w3.org from January 2020)

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jan 2020 10:59:46 +0100
To: shujun an <anshujun81@gmail.com>
Cc: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CAKXHy=fRhDZac5K=KWf3p9eqJuhO_G-L3eM+N2SeODQGxVWWeg@mail.gmail.com>

On Tue, Dec 24, 2019 at 4:35 PM shujun an <anshujun81@gmail.com> wrote:

> Dear Sir/Madam,
> The Sec-Fetch-Mode HTTP Request Header could be set to "cors", "navigate",
> "nested-navigate", "no-cors", "same-origin", and "websocket". When it is
> set to be "cors", is it the same with feature with an OPTIONS preflight
> request and would not include cookies by default? I cannot find this direct
> answer from section 2.2 in https://www.w3..org/TR/fetch-metadata/
> <https://www.w3.org/TR/fetch-metadata/>. Thanks! Regards,
>
A CORS preflight request would send `Sec-Fetch-Mode: cors`, as the request
is defined as having a `mode` of "cors" in step 1 of
https://fetch.spec.whatwg.org/#cors-preflight-fetch-0. That preflight
request wouldn't include credentials (as its "credentials mode" defaults to
"omit").

Does that answer your question?

-mike

>

Received on Wednesday, 8 January 2020 10:00:00 UTC