-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: include credentials #3096
Conversation
This is a potential security concern, since including the credentials can leak them to unauthorized third parties. The current settings were all selected as they are they default for fetch. |
Wow, that was a fast response, thank you @ricmoo . I further discuss this idea in the #3097 Yes, it's only a proof of concept. and I agree with you there are security concerns. We would like to check with you if you are open to allow this to be configurable at least. Given that even basic authentication is allowed allowInsecureAuthentication |
It could be made a configurable option, but this would be a non-backwards compatible change and would be a bit more work than is likely to be prioritized in the near future for v5. This change, while simple in the browser case, requires some additional code for the node case, where it would need to be implemented. I want to make sure the fetch api works identically in both node and browser, so an option like this needs to be added as the node http library isn’t a matter of a simple property. In v6, the entire fetch library will be able to be swapped out in the same way the crypto library can, so there will be fewer options directly within the library, with the expectation that adding the new abilities is easier to do by replacing the fetch. |
Can I describe my understanding of what you said in my own words, please check if it's correct:
This it a good understanding? |
QQ: if my understanding of this sentence is correct, does it currently honor |
friendly ping to continue discussion~ |
The v6 branch won't need this, since you can just swap out the fetch operation and make any adjustments manually. If it is added to v5, it needs to occur in a minor version change. I am planning one though. What I may opt for is a I'll mark this for a minor bump to look more into it as I prepare that. |
That would work, thank you @ricmoo ! |
With c309df8 merged this is PR is considered done |
The fetchOptions has been included in v5.7.0. Try it out and let me know if there are any problems. :) Thanks! :) |
That is great news! |
No description provided.