fetch
fetch copied to clipboard
Should credentialed, same-site, cross-origin requests be easier to enable?
The Fetch standards currently disallow using Access-Control-Allow-Origin: *
with Access-Control-Allow-Credentials: true
This policy requires developers to take an extra step when enabling credentials on same-site but cross-origin fetch requests. Instead of using a * wildcard, they must explicitly return the origin they are allowing.
Today, browsers are defaulting cookies to SameSite=Lax
, which takes priority over CORS. Even with credentials: "include"
and CORS properly configured, a cookie set to SameSite=Lax
won't be included with the cross-origin request.
So, I believe a case can be made that disallowing Access-Control-Allow-Origin: *
with Access-Control-Allow-Credentials: true
is a redundant protection.
Some potential options:
- Allow origin wildcards on credentialed requests
- Introduce an alternative wildcard that allows all SameSite requests
I think a same-site
value could be reasonable for Access-Control-Allow-Origin
. In some sense that is duplicative of a request in #890 that thus far hasn't gained traction, but it's more narrowly scoped so let's see what people think.
@colinclerk
a cookie set to
SameSite=Lax
won't be included with the cross-origin request.
That entirely depends on whether the issuing origin is same-site with respect to the target origin. See https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/