Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

De-XHRify HTTP: everything except CORS #31013

Merged
merged 6 commits into from
Dec 16, 2023
Merged

De-XHRify HTTP: everything except CORS #31013

merged 6 commits into from
Dec 16, 2023

Conversation

wbamberg
Copy link
Collaborator

@wbamberg wbamberg commented Dec 14, 2023
edited
Loading

Part of #31010. Tiny changes.

This should cover everything except the main CORS page.
@wbamberg wbamberg requested a review from a team as a code owner December 14, 2023 23:41
@wbamberg wbamberg requested review from bsmth and removed request for a team December 14, 2023 23:41
@github-actions github-actions bot added the Content:HTTP HTTP docs label Dec 14, 2023
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 14, 2023
edited
Loading

Preview URLs (12 pages)

(comment last updated: 2023-12-16 06:56:02)
@teoli2003 teoli2003 requested review from teoli2003 and removed request for bsmth December 15, 2023 08:21
teoli2003
teoli2003 requested changes Dec 15, 2023
View reviewed changes
Copy link
Member

@teoli2003 teoli2003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! One nit and one sentence that I find overly complex.
files/en-us/web/http/headers/access-control-allow-credentials/index.md Outdated
`Access-Control-Allow-Credentials` header) and the client (by setting the
credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting
into including credentials.
The `Access-Control-Allow-Credentials` header works in conjunction with the `credentials` option in the {{domxref("Request.Request()", "Request()")}} constructor of the Fetch API or the {{domxref("XMLHttpRequest.withCredentials")}} property. For a CORS request with credentials, for browsers to expose the response to the frontend JavaScript code, both the server (using the `Access-Control-Allow-Credentials` header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting into including credentials.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also find For a CORS request with credentials, for browsers to expose the response to the frontend JavaScript code, both the server (using the Access-Control-Allow-Credentials header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting into including credentials. a very complicated (but correct) sentence; can we express it differently? I'm afraid it would be too complicated for non-native speakers.

Suggested change
The `Access-Control-Allow-Credentials` header works in conjunction with the `credentials` option in the {{domxref("Request.Request()", "Request()")}} constructor of the Fetch API or the {{domxref("XMLHttpRequest.withCredentials")}} property. For a CORS request with credentials, for browsers to expose the response to the frontend JavaScript code, both the server (using the `Access-Control-Allow-Credentials` header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting into including credentials.
The `Access-Control-Allow-Credentials` header works in conjunction with the `credentials` option in the {{domxref("Request.Request()", "Request()")}} constructor of the Fetch API, or with the {{domxref("XMLHttpRequest.withCredentials")}} property. For a CORS request with credentials, for browsers to expose the response to the frontend JavaScript code, both the server (using the `Access-Control-Allow-Credentials` header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting into including credentials.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fair. When I made these changes I didn't pay much attention to the wider semantics. Now I do, I don't think this description is very comprehensible, so I have had a go at rewriting it in 121ec81. Would love a fact check.

Resources: https://stackoverflow.com/questions/24687313/what-exactly-does-the-access-control-allow-credentials-header-do
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In particular I thought phrases like "the response is ignored by the browser and not returned to the web content" are confusing. As a web developer, what does this look like?
teoli2003
teoli2003 approved these changes Dec 16, 2023
View reviewed changes
Copy link
Member

@teoli2003 teoli2003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍
@teoli2003 teoli2003 merged commit 369b8ec into mdn:main Dec 16, 2023
7 checks passed
dipikabh pushed a commit to dipikabh/content that referenced this pull request Jan 17, 2024
@wbamberg @teoli2003 @dipikabh
De-XHRify HTTP: everything except CORS (mdn#31013)
ec807ed 
* De-XHRify HTTP: everything except CORS

* Update note about client/server and push

* Rewrite Access-Control-Allow-Credentials

* Clarification

* Update files/en-us/web/http/headers/access-control-allow-credentials/index.md

* Set codeface

---------

Co-authored-by: Jean-Yves Perrier <jypenator@gmail.com>
@wbamberg wbamberg mentioned this pull request Jun 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Content:HTTP HTTP docs
2 participants
@wbamberg @teoli2003