Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JS Fetch API - When should I use credentials option with "omit" value if by default fetch won't send or receive any cookies from the server?

On the MDN Fetch API page (Sending a request with credentials included section) it is written that:

To instead ensure browsers don’t include credentials in the request, use credentials: 'omit'.

fetch('https://example.com', {
  credentials: 'omit'  
})

However, initially, it is also written that:

By default, fetch won't send or receive any cookies from the server, resulting in unauthenticated requests if the site relies on maintaining a user session (to send cookies, the credentials init option must be set).

My question is, if I want to omit cookies and auth headers, why should I ever bother to use credentials: 'omit' in the first place if it is written that by default (without credentials), fetch won't send cookies?

like image 215
tonix Avatar asked Apr 22 '19 10:04

tonix


1 Answers

Because of this discussion on whatwg/fetch, the default value was changed from omit to same-origin in late 2017.

Browsers were catching up in 2018 so you can see some older browsers still use omit. For example, Firefox changed from omit to same-origin starting from 61. Chrome changed from version 72. You may check the full list here.

And more interestingly, the standard on whatwg page (Last updated 23 Mar 2019) is still omit.

like image 144
HKTonyLee Avatar answered Nov 10 '22 18:11

HKTonyLee