1

Possibly I'm still not completely understanding all the ins and outs of browser security, but i think what I'm trying to achieve is relatively simple.

I have a page served 100% over HTTPS, I'm using basic auth, with the username & password being held by the browser and (should) be sent with every request from there onwards.

I have added the credentials: 'same-origin' to the fetch function call and for GET requests its included. but the same code path with a POST request does not include the header in the request.

fetch("/center/57023368c4d6931600216494", {
  headers: {
    "Content-Type": "application/json",
    Accept: "application/json"
  },
  credentials: "same-origin",
  method: "GET"
})

fetch("/users/find", {
  headers: {
    "Content-Type": "application/json",
    Accept: "application/json"
  },
  credentials: "same-origin",
  method: "POST",
  body: "{\"center\":\"US testing\"}"
})

I don't think this is a CORS issue since everything is talking to the same domain. Ive tried expanding to credentials: 'include' but no difference. And I've seen the problem in both Safari & Chrome.

There seems to be little or no feedback so I'm really stuck as to weather this is a spec / implementation issue or a browser issue or a "your not using the code correctly" issue, any help appreciated

mplungjan
  • 169,008
  • 28
  • 173
  • 236
Chris Matheson
  • 348
  • 2
  • 7
  • UPDATE: the code works as expected in Firefox & Firefox Dev edition. So this could be an implementation detail that isn't covered by the whatwg spec? – Chris Matheson Nov 07 '17 at 14:23
  • It very much seems like an implementation bug in Chrome and Safari. I would recommend reporting it against them. – Anne Jan 18 '18 at 05:54

0 Answers0