- From: Takeshi Yoshino <tyoshino@google.com>
- Date: Fri, 15 Aug 2014 16:01:34 +0900
- To: whatwg <whatwg@whatwg.org>, Anne van Kesteren <annevk@annevk.nl>
I asked this question because I spent much time to understand the reason why credentials are omitted for preflight requests. But it seems the current Fetch spec has a different algorithm than the W3C CORS spec. The commit https://github.com/whatwg/fetch/commit/adec3d2bf35726b46dd6c0079ff01dba8e154711 has removed the definition of "user credentials". Is this intentional? Before it, "user credentials" was defined as "cookies, HTTP authentication, and client-side SSL certificates". Now the latest Fetch spec doesn't mention client certificates. If this is intentional, the CORS FAQ is not useful to understand the current Fetch spec. I dug history but couldn't find the root reason. http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html#rev1.262 This revision defined what "credentials" means clearly in response to Maciej's question http://www.w3.org/2008/webapps/track/issues/114. It started mentioning client certificates explicitly. If the reason is just to prevent distributed credentials search, don't client certificates which is not controlled by scripts need to be omitted? Is that the reason you've removed the definition of "user credentials" and controlling only cookies and authentication entries? http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html#rev1.181 This revision added a (clarification?) text "(No credentials, ...)" to explicitly prohibit adding any credential to the preflight request. http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html#rev1.174 This revision added a step to reuse original request headers after some filtering with a text "(The request headers are not included ...)". http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html#rev1.132 The reason why script-provided credentials are omitted is explained from this revision. I understand this. Thanks
Received on Friday, 15 August 2014 07:02:26 UTC