Remove Authorization header on cross origin redirects to scope a developer-controlled Authorization header to the origin of the initial request.
Low. All browser vendors agreed with this change.
N/A
Web Developers can use DevTools network panel to see the actual request headers.
M112
The spec has been already updated.
https://github.com/whatwg/fetch/issues/944
Remove Authorization header on cross origin redirects to scope a developer-controlled Authorization header to the origin of the initial request.
Low. All browser vendors agreed with this change.
N/A
Web Developers can use DevTools network panel to see the actual request headers.
M112
The spec has been already updated.
https://github.com/whatwg/fetch/issues/944
Any use counters on how often this happens?On Thursday, February 2, 2023 at 8:58:35 AM UTC+1 Kenichi Ishibashi wrote:Contact emailsba...@chromium.org
Specificationhttps://fetch.spec.whatwg.org/#http-redirect-fetch
SummaryRemove Authorization header on cross origin redirects to scope a developer-controlled Authorization header to the origin of the initial request.
Blink componentBlink>Loader
TAG review
TAG review statusNot applicable
Risks
Interoperability and CompatibilityLow. All browser vendors agreed with this change.
Gecko: Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1802086)Do we know if they ran into any compat issues when shipping this?
Hi, sorry for the long delay.The feature page now shows sites that use Authorization header for cross-origin redirects. I randomly picked some of them and examined to see if they could work when Chrome removes Authorization header up on cross-origin redirects. As far as I can tell, none of them are broken. We would like to ship this behind a feature flag.
LGTM2
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWf-jyg-N2Y%2BuGXp6aWAHZA%2BifqOw_Cki7M3UaV1QV9Cg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/01f78357-99e8-4233-8125-1233bd8bc786%40chromium.org.
Hey,
Sorry for necro'ing this thread, I'm aware that this has been on the "done" pile for a while - and maybe it should've been brought up earlier, but how do you "disable" this feature ? It's making the BE dev exhaustingly painful, not being able to intercept requests and re-forward them to the local BE.
Is there a flag, or whatnot, to re-enable the old flow ?
It's possible that DevTools could support this use case, so I'd
encourage you to a feature request at crbug.com/new. Thx
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f208e74a-4f78-48c4-bdff-f4a847d08447%40chromium.org.