No subject

not be prompted for credentials on cross origin requests.
In terms of browser interoperability, a few tests seem to show that WebKit
and Mozilla allow prompting users while Chrome does not always.

Different paths could be chosen:
1. Stick with the current behavior
2. Remove user credential prompting for cross-origin requests in places
where chances to break web sites are low (video loading ? resource loading
in case @crossorigin="use-credentials" ?)
3. Remove user credential prompting for cross-origin requests.

Any idea on where we should be heading?

   Youenn

--089e0129565659da4f04f9bc9d9a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi all,<div><br></div><div>While looking at <a href=3D"htt=
p://webkit.org/b/126619" target=3D"_blank">http://webkit.org/b/126619</a>, =
a question came to my mind on user credentials prompting for cross-origin r=
esources.</div>

<div><div>WebKit allows prompting users for credentials in case of loading =
cross-origin resources (except for XHR).<br>
</div></div><div><br></div><div>From my reading of <a href=3D"http://fetch.=
spec.whatwg.org/#http-fetch" target=3D"_blank">http://fetch.spec.whatwg.org=
/#http-fetch</a>, user should not be prompted for credentials on cross orig=
in requests.</div>


<div>In terms of browser interoperability, a few tests seem to show that We=
bKit and Mozilla allow prompting users while Chrome does not always.<br></d=
iv><div><div><br></div></div><div>Different paths could be chosen:</div>

<div>1. Stick with the current behavior<br>2. Remove user credential prompt=
ing for cross-origin requests in places where chances to break web sites ar=
e low (video loading ? resource loading in case @crossorigin=3D&quot;use-cr=
edentials&quot; ?)<br>
</div>

<div>3. Remove user credential prompting for cross-origin requests.</div><d=
iv><br></div><div>Any idea on where we should be heading?<br></div><br><div=
>=C2=A0 =C2=A0Youenn</div></div>

--089e0129565659da4f04f9bc9d9a--