On Fri, Aug 15, 2014 at 7:09 PM, Anne van Kesteren <ann...@annevk.nl> wrote:

> On Fri, Aug 15, 2014 at 9:01 AM, Takeshi Yoshino <tyosh...@google.com>
> wrote:
> > I asked this question because I spent much time to understand the reason
> why
> > credentials are omitted for preflight requests.
> I think that was because it was a new type of request and we generally
> consider sending credentials cross-origin by default to be a mistake.
> > But it seems the current
> > Fetch spec has a different algorithm than the W3C CORS spec.
> >
> > The commit
> >
> https://github.com/whatwg/fetch/commit/adec3d2bf35726b46dd6c0079ff01dba8e154711
> > has removed the definition of "user credentials". Is this intentional?
> > Before it, "user credentials" was defined as "cookies, HTTP
> authentication,
> > and client-side SSL certificates". Now the latest Fetch spec doesn't
> mention
> > client certificates. If this is intentional, the CORS FAQ is not useful
> to
> > understand the current Fetch spec.
> Not having a generic term like user credentials was intentional.
> However, this is an outstanding bug:
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=26556 It's a bit
> unclear to me how to accurately word the requirements. It seems like
> it will have to remain somewhat vague.
Ah, Ryan has already done it. Thanks. I'll join there...

> Apologies for the time it cost you to look into this. I recommend
> having a cursory glance at the list of open bugs next time.
> I'm somewhat hesitant to include a direct link to the FAQ. There are
> several inaccuracies there and unlike what was predicted in May 2012,
> it never got maintained by the web community. If it was mostly about
> the credentials bit from the FAQ then yes, we need to explain that in
> the current specification, once we have all agreed how those things
> should work in detail.
> --
> http://annevankesteren.nl/

Reply via email to