- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 15 Aug 2014 12:09:25 +0200
- To: Takeshi Yoshino <tyoshino@google.com>
- Cc: whatwg <whatwg@whatwg.org>
On Fri, Aug 15, 2014 at 9:01 AM, Takeshi Yoshino <tyoshino@google.com> wrote: > I asked this question because I spent much time to understand the reason why > credentials are omitted for preflight requests. I think that was because it was a new type of request and we generally consider sending credentials cross-origin by default to be a mistake. > But it seems the current > Fetch spec has a different algorithm than the W3C CORS spec. > > The commit > https://github.com/whatwg/fetch/commit/adec3d2bf35726b46dd6c0079ff01dba8e154711 > has removed the definition of "user credentials". Is this intentional? > Before it, "user credentials" was defined as "cookies, HTTP authentication, > and client-side SSL certificates". Now the latest Fetch spec doesn't mention > client certificates. If this is intentional, the CORS FAQ is not useful to > understand the current Fetch spec. Not having a generic term like user credentials was intentional. However, this is an outstanding bug: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26556 It's a bit unclear to me how to accurately word the requirements. It seems like it will have to remain somewhat vague. Apologies for the time it cost you to look into this. I recommend having a cursory glance at the list of open bugs next time. I'm somewhat hesitant to include a direct link to the FAQ. There are several inaccuracies there and unlike what was predicted in May 2012, it never got maintained by the web community. If it was mostly about the credentials bit from the FAQ then yes, we need to explain that in the current specification, once we have all agreed how those things should work in detail. -- http://annevankesteren.nl/
Received on Friday, 15 August 2014 10:09:51 UTC