Re: [whatwg] [Fetch spec] Link to CORS FAQ wiki

On Fri, Aug 15, 2014 at 7:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Aug 15, 2014 at 9:01 AM, Takeshi Yoshino <tyoshino@google.com>
> wrote:
> > I asked this question because I spent much time to understand the reason
> why
> > credentials are omitted for preflight requests.
>
> I think that was because it was a new type of request and we generally
> consider sending credentials cross-origin by default to be a mistake.
>
>
> > But it seems the current
> > Fetch spec has a different algorithm than the W3C CORS spec.
> >
> > The commit
> >
> https://github.com/whatwg/fetch/commit/adec3d2bf35726b46dd6c0079ff01dba8e154711
> > has removed the definition of "user credentials". Is this intentional?
> > Before it, "user credentials" was defined as "cookies, HTTP
> authentication,
> > and client-side SSL certificates". Now the latest Fetch spec doesn't
> mention
> > client certificates. If this is intentional, the CORS FAQ is not useful
> to
> > understand the current Fetch spec.
>
> Not having a generic term like user credentials was intentional.
> However, this is an outstanding bug:
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=26556 It's a bit
> unclear to me how to accurately word the requirements. It seems like
> it will have to remain somewhat vague.
>
>
Ah, Ryan has already done it. Thanks. I'll join there...


> Apologies for the time it cost you to look into this. I recommend
> having a cursory glance at the list of open bugs next time.
>
>
> I'm somewhat hesitant to include a direct link to the FAQ. There are
> several inaccuracies there and unlike what was predicted in May 2012,
> it never got maintained by the web community. If it was mostly about
> the credentials bit from the FAQ then yes, we need to explain that in
> the current specification, once we have all agreed how those things
> should work in detail.
>
>
> --
> http://annevankesteren.nl/
>

Received on Friday, 15 August 2014 10:13:43 UTC