Open Bug 1554538 Opened 5 years ago Updated 4 months ago

Consider stripping credentials from URLs for cross-origin loads instead of failing the CORS load


(Core :: DOM: Networking, defect, P3)





(Reporter: ehsan.akhgari, Unassigned)


(Blocks 3 open bugs)


(Whiteboard: [necko-triaged])

We currently fail and because we raise an error event. This happens because we bail out here:

This test was originally added in Comment 2 of that bug suggests that WebKit has historically done this for cross-origin loads (not sure if that means CORS loads or not...). We should probably consider adopting the same behaviour.

Anne, is this specified in fetch?

Flags: needinfo?(annevk)

Yeah, step of would not have the authentication-fetch flag set. (That only gets set after a 401 that the browser handles, which isn't allowed during CORS.)

Flags: needinfo?(annevk)
Priority: -- → P2
Whiteboard: [necko-triaged]
Severity: normal → S3
Blocks: necko-cors
You need to log in before you can comment on or make changes to this bug.