Rewrite Access-Control-Allow-Credentials

mdn · Dec 15, 2023 · 121ec81 · 121ec81
1 parent 9f3af81
commit 121ec81
Showing 1 changed file with 10 additions and 13 deletions.
diff --git a/files/en-us/web/http/headers/access-control-allow-credentials/index.md b/files/en-us/web/http/headers/access-control-allow-credentials/index.md
@@ -7,23 +7,20 @@ browser-compat: http.headers.Access-Control-Allow-Credentials
 
 {{HTTPSidebar}}
 
-The **`Access-Control-Allow-Credentials`** response header
-tells browsers whether to expose the response to the frontend JavaScript code when the
-request's credentials mode ({{domxref("Request.credentials")}}) is `include`.
+The **`Access-Control-Allow-Credentials`** response header tells browsers whether the server allows cross-origin HTTP requests to include credentials.
 
-When a request's credentials mode ({{domxref("Request.credentials")}}) is
-`include`, browsers will only expose the response to the frontend JavaScript code
-if the `Access-Control-Allow-Credentials` value is `true`.
+Credentials are cookies, {{glossary("TLS")}} client certificates, or authentication headers containing a username and password. By default, these credentials are not sent in cross-origin requests, and doing so can make a site vulnerable to {{glossary("CSRF")}} attacks.
 
-Credentials are cookies, authorization headers, or TLS client certificates.
+A client can ask that credentials should be included in cross-site requests:
 
-When used as part of a response to a preflight request, this indicates whether or not
-the actual request can be made using credentials. Note that simple {{HTTPMethod("GET")}}
-requests are not preflighted. So, if a request is made for a resource with
-credentials, and if this header is not returned with the resource, the response is ignored
-by the browser and not returned to the web content.
+- Using {{domxref("fetch()")}}, by setting the [`credentials`](/en-US/docs/Web/API/Request/Request#credentials) option in the {{domxref("Request.Request()", "Request()")}} constructor to `"include"`.
+- Using {{domxref("XMLHttpRequest")}}, by setting the {{domxref("XMLHttpRequest.withCredentials")}} property to `true`.
 
-The `Access-Control-Allow-Credentials` header works in conjunction with the `credentials` option in the {{domxref("Request.Request()", "Request()")}} constructor of the Fetch API or the {{domxref("XMLHttpRequest.withCredentials")}} property. For a CORS request with credentials, for browsers to expose the response to the frontend JavaScript code, both the server (using the `Access-Control-Allow-Credentials` header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting into including credentials.
+If the client has asked for credentials to be included:
+
+- If the request is {{glossary("Preflight_request", "preflighted")}}, then the preflight request does not credentials. If the server's response to the preflight request sets the `Access-Control-Allow-Credentials` header to `true`, then the real request will include credentials: otherwise, the browser reports a network error.
+
+- If the request is not preflighted, then the request will include credentials, and if the server's response does not set the `Access-Control-Allow-Credentials` header to `true`, the browser reports a network error.
 
 <table class="properties">
   <tbody>