Fix #209: no credential prompt when credentials mode is not include

Since “include” has been the default since forever, “same-origin” can only be set through CORS (until recently), and “omit” is very new, it should be safe to not prompt the user for credentials when credentials mode is not “include”.
whatwg · Jan 29, 2016 · 10cb34f · 10cb34f
1 parent 42464c8
commit 10cb34f
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/Overview.html b/Overview.html
@@ -7,7 +7,7 @@
 
 <p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
 <h1 id="cors">Fetch</h1>
-<h2 class="no-num no-toc" id="living-standard-—-last-updated-28-january-2016">Living Standard — Last Updated 28 January 2016</h2>
+<h2 class="no-num no-toc" id="living-standard-—-last-updated-29-january-2016">Living Standard — Last Updated 29 January 2016</h2>
 
 <dl>
  <dt>Participate:
@@ -2371,9 +2371,16 @@ <h3 id="http-fetch"><span class="secno">5.3 </span>HTTP fetch</h3>
    <dt><code title="">401</code>
    <dd>
     <ol>
-     <li><p>If <var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a>
-     is "<code>no-window</code>" or the <i title="">CORS flag</i> is set, return
-     <var>response</var>.
+     <li>
+      <p>If one of the following conditions is true, return <var>response</var>:
+
+      <ul>
+       <li>The <i title="">CORS flag</i> is set.
+       <li><var>request</var>'s <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a>
+       is <em>not</em> "<code>include</code>".
+       <li><var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a> is
+       "<code>no-window</code>".
+      </ul>
 
      <li class="XXX"><p>Needs testing: multiple `<code>WWW-Authenticate</code>` headers,
      missing, parsing issues.

diff --git a/Overview.src.html b/Overview.src.html
@@ -2310,9 +2310,16 @@ <h3>HTTP fetch</h3>
    <dt><code title>401</code>
    <dd>
     <ol>
-     <li><p>If <var>request</var>'s <span title=concept-request-window>window</span>
-     is "<code>no-window</code>" or the <i title>CORS flag</i> is set, return
-     <var>response</var>.
+     <li>
+      <p>If one of the following conditions is true, return <var>response</var>:
+
+      <ul>
+       <li>The <i title>CORS flag</i> is set.
+       <li><var>request</var>'s <span title=concept-request-credentials-mode>credentials mode</span>
+       is <em>not</em> "<code>include</code>".
+       <li><var>request</var>'s <span title=concept-request-window>window</span> is
+       "<code>no-window</code>".
+      </ul>
 
      <li class=XXX><p>Needs testing: multiple `<code>WWW-Authenticate</code>` headers,
      missing, parsing issues.