W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2014

Re: [whatwg] [Fetch spec] Link to CORS FAQ wiki

From: Takeshi Yoshino <tyoshino@google.com>
Date: Fri, 15 Aug 2014 16:01:34 +0900
Message-ID: <CAH9hSJa+dywKUfRXqtGbGhfH_2-ig8Zqwgc+0WEgTExknH9Xpw@mail.gmail.com>
To: whatwg <whatwg@whatwg.org>, Anne van Kesteren <annevk@annevk.nl>
I asked this question because I spent much time to understand the reason
why credentials are omitted for preflight requests. But it seems the
current Fetch spec has a different algorithm than the W3C CORS spec.

The commit
https://github.com/whatwg/fetch/commit/adec3d2bf35726b46dd6c0079ff01dba8e154711
has removed the definition of "user credentials". Is this intentional?
Before it, "user credentials" was defined as "cookies, HTTP authentication,
and client-side SSL certificates". Now the latest Fetch spec doesn't
mention client certificates. If this is intentional, the CORS FAQ is not
useful to understand the current Fetch spec.

I dug history but couldn't find the root reason.

http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html#rev1.262
This revision defined what "credentials" means clearly in response to
Maciej's question http://www.w3.org/2008/webapps/track/issues/114. It
started mentioning client certificates explicitly.

If the reason is just to prevent distributed credentials search, don't
client certificates which is not controlled by scripts need to be omitted?
Is that the reason you've removed the definition of "user credentials" and
controlling only cookies and authentication entries?

http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html#rev1.181
This revision added a (clarification?) text "(No credentials, ...)" to
explicitly prohibit adding any credential to the preflight request.

http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html#rev1.174
This revision added a step to reuse original request headers after some
filtering with a text "(The request headers are not included ...)".

http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html#rev1.132
The reason why script-provided credentials are omitted is explained from
this revision. I understand this.

Thanks
Received on Friday, 15 August 2014 07:02:26 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:22 UTC