Doc: Definition of credentials unclear

[roryhewitt]

Currently, the fetch spec defines credentials as follows:

Credentials are HTTP cookies, TLS client certificates, and authentication entries.

with authentication entries further defined as follows:

An authentication entry and a proxy-authentication entry are tuples of username, password, and realm, associated with one or more requests.

Two questions have been raised by my customers:

• From a real-world perspective, when server developers add Access-Control-Allow-Credentials they're thinking of cookies and maybe the Authorization request header. Is there a comprehensive list of other authentication entries?
• What is the process (if any) of specifying whether any new headers etc. should be added to the list of authentication entries?

When I checked the fetch spec example https://fetch.spec.whatwg.org/#example-cors-with-credentials (which I originally wrote, with editing by @annevk!) it uses the obvious example of Set-Cookie headers being ignored. Interested to know what other cases might apply. From a server-developer POV, what else would eb ignored in the response - everything?

[annevk]

Authentication entries is to describe HTTP authentication. There's nothing else (other than TLS client certificates which are listed separately). @sideshowbarker was planning on clarifying this I believe, but he's been rather busy with other things lately.

[sideshowbarker]

Authentication entries is to describe HTTP authentication. There's nothing else (other than TLS client certificates which are listed separately). @sideshowbarker was planning on clarifying this I believe, but he's been rather busy with other things lately.

Yeah, I should be able to get back to it this week

[sideshowbarker]

@roryhewitt if the d84658e change doesn’t resolve this to your satisfaction, then please either raise a new issue with specific suggestions for refining it further, or else comment here further (and we can re-open this issue itself if necessary).