Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Describe the bug
That's not really a bug. The problem is that the fetch request does not send anything that could be detectable by the server. There's no chance to find out if the request was made with fetch or not. The only solution is to send the x-requested-with header in your fetch request or define your own custom header and then make your own check on the server.
There are numerous ways to manually check whether the request came from the intended origin - adding a custom header is just one, and not usually the recommended way. Overall, it seems the
So, the option is to either put a lengthy explanation/warning in the docs about how the method will fail in typical situations using standard, vanilla JS, or to deprecate it. Honestly, it is unnecessary. A cookbook recipe showing how to process a form submission sent with fetch api and processed with a custom route would be much more useful.