> > OK then - Anne and others, what do you think about creating a new tri-state > > xhr.credentialsPolicy property and discouraging usage of > > xhr.withCredentials ? > > I think I'd prefer removing the constructor flag and leaving new
> features to the API for Fetch. Sorry, I don't understand what you meant by this sentence. Fetch already has the required "underpinnings" for this tri-state flag: http://fetch.spec.whatwg.org/#concept-request-omit-credentials-mode "A request has an associated omit credentials mode, which is one of always, CORS, and never." which maps exactly to credentialsPolicy: "omit credentials mode": always == credentialsPolicy: never (naming can be discussed, withCredentials='never' would be more intuitive but as we're not redefining withCredentials.. Maybe credentialsPolicy = 'nocredentials' ?) "omit credentials mode": CORS == credentialsPolicy: 'samedomain' "omit credentials mode": never == credentialsPolicy: 'always' So creating a new tri-state property in the XHR spec should also simplify integration with the Fetch spec. > Also, we still need to nail down the > details of withCredentials. Questions raised in > http://lists.w3.org/Archives/Public/public-webapps/2013AprJun/0499.html > have gone without conclusive answers. I'm afraid I have no idea what the answers are.. -- Hallvord R. M. Steen Core tester, Opera Software