Quick update, we added a use counter to see how often this could happen. I'll get back once we have data.
On Wed, Feb 8, 2023 at 11:51 PM Yoav Weiss <yoavwe...@chromium.org> wrote: > Any use counters on how often this happens? > > On Thursday, February 2, 2023 at 8:58:35 AM UTC+1 Kenichi Ishibashi wrote: > Contact emailsba...@chromium.org > > Specificationhttps://fetch.spec.whatwg.org/#http-redirect-fetch > > Summary > > Remove Authorization header on cross origin redirects to scope a > developer-controlled Authorization header to the origin of the initial > request. > > Blink componentBlink>Loader > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader> > > TAG review > Not applicable, the spec has been already updated. > https://github.com/whatwg/fetch/pull/1544 > > TAG review statusNot applicable > > Risks > > > Interoperability and Compatibility > > Low. All browser vendors agreed with this change. > > *Gecko*: Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1802086) > > Do we know if they ran into any compat issues when shipping this? > None I'm aware of. I checked the bug and related issues in GitHub but I didn't find anything. > > *WebKit*: Shipped/Shipping (https://bugs.webkit.org/show_bug.cgi?id=230935) > Historically Safari always removed Authorization headers even for the same > origin redirects. Recently the behavior has changed to preserve them on > same origin redirects. > > That's encouraging in terms of lack of potential reliance on these headers. > > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > N/A > > > > Debuggability > > Web Developers can use DevTools network panel to see the actual request > headers. > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > https://wpt.fyi/results/xhr/xhr-authorization-redirect. > any.html?label=master&label=experimental > https://wpt.fyi/results/fetch/api/credentials/authentication-redirection. > any.html?label=experimental > > Flag nameNot applicable > > Requires code in //chrome?False > > Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1393520 > > Estimated milestones > > M112 > > Anticipated spec changes > > The spec has been already updated. > > https://github.com/whatwg/fetch/issues/944 > > Link to entry on the Chrome Platform Statushttps://chromestatus.com/ > feature/5195900413018112 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPLXX-8oNUot5h2cd_XbBQ9ayeYDFJDOfcEVLmNQ%3D15zFXnbtg%40mail.gmail.com.