Re: [whatwg] [Fetch spec] Link to CORS FAQ wiki

I asked this question because I spent much time to understand the reason
why credentials are omitted for preflight requests. But it seems the
current Fetch spec has a different algorithm than the W3C CORS spec.

The commit
has removed the definition of "user credentials". Is this intentional?
Before it, "user credentials" was defined as "cookies, HTTP authentication,
and client-side SSL certificates". Now the latest Fetch spec doesn't
mention client certificates. If this is intentional, the CORS FAQ is not
useful to understand the current Fetch spec.

I dug history but couldn't find the root reason.
This revision defined what "credentials" means clearly in response to
Maciej's question It
started mentioning client certificates explicitly.

If the reason is just to prevent distributed credentials search, don't
client certificates which is not controlled by scripts need to be omitted?
Is that the reason you've removed the definition of "user credentials" and
controlling only cookies and authentication entries?
This revision added a (clarification?) text "(No credentials, ...)" to
explicitly prohibit adding any credential to the preflight request.
This revision added a step to reuse original request headers after some
filtering with a text "(The request headers are not included ...)".
The reason why script-provided credentials are omitted is explained from
this revision. I understand this.


Received on Friday, 15 August 2014 07:02:26 UTC