Re: [whatwg] [Fetch spec] Link to CORS FAQ wiki from Takeshi Yoshino on 2014-08-15 (public-whatwg-archive@w3.org from August 2014)

From: Takeshi Yoshino <tyoshino@google.com>
Date: Fri, 15 Aug 2014 19:31:08 +0900
To: Anne van Kesteren <annevk@annevk.nl>
Cc: whatwg <whatwg@whatwg.org>
Message-ID: <CAH9hSJZsKR8kTyRxPdwjiz=5x+tGvNCiQwVvfkeb0rXtPop+-A@mail.gmail.com>

On Fri, Aug 15, 2014 at 7:12 PM, Takeshi Yoshino <tyoshino@google.com>
wrote:

> On Fri, Aug 15, 2014 at 7:09 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Fri, Aug 15, 2014 at 9:01 AM, Takeshi Yoshino <tyoshino@google.com>
>> wrote:
>> > I asked this question because I spent much time to understand the
>> reason why
>> > credentials are omitted for preflight requests.
>>
>> I think that was because it was a new type of request and we generally
>> consider sending credentials cross-origin by default to be a mistake.
>>
>
I see. Fair enough, and so we could revisit it now.


>
>>
>> > But it seems the current
>> > Fetch spec has a different algorithm than the W3C CORS spec.
>> >
>> > The commit
>> >
>> https://github.com/whatwg/fetch/commit/adec3d2bf35726b46dd6c0079ff01dba8e154711
>> > has removed the definition of "user credentials". Is this intentional?
>> > Before it, "user credentials" was defined as "cookies, HTTP
>> authentication,
>> > and client-side SSL certificates". Now the latest Fetch spec doesn't
>> mention
>> > client certificates. If this is intentional, the CORS FAQ is not useful
>> to
>> > understand the current Fetch spec.
>>
>> Not having a generic term like user credentials was intentional.
>> However, this is an outstanding bug:
>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=26556 It's a bit
>> unclear to me how to accurately word the requirements. It seems like
>> it will have to remain somewhat vague.
>>
>>
> Ah, Ryan has already done it. Thanks. I'll join there...
>
>
>> Apologies for the time it cost you to look into this. I recommend
>> having a cursory glance at the list of open bugs next time.
>>
>>
>> I'm somewhat hesitant to include a direct link to the FAQ. There are
>> several inaccuracies there and unlike what was predicted in May 2012,
>>
>
Yeah, it needs update as you say.


>  it never got maintained by the web community. If it was mostly about
>> the credentials bit from the FAQ then yes, we need to explain that in
>> the current specification, once we have all agreed how those things
>> should work in detail.
>>
>
OK!


>
>>
>> --
>> http://annevankesteren.nl/
>>
>
>

Received on Friday, 15 August 2014 10:31:55 UTC