Browser cookies not sent by default, no easy way to change

[DanielVF]

When using jQuery's ajax methods, the browser's cookies are sent along with each same-origin request. If your user is currently logged in, then their requests are logged in too.

The fetch spec however requires that no cookies be sent unless the credentials option is explicitly set to 'same-origin' or the stronger 'include'. (see here: https://github.com/github/fetch/pull/69/files?diff=split )

There's currently no way to set the global fetch options for a new HttpStateSource, other than on each request you make.

I wonder if we should make HttpStateSource default to using credentials 'same-origin', and allow changing the default request options from HttpStateSource's mixinOptions.

[jhollingworth]

We've introduced the concept of "hooks" in v0.9 which allows you to modify requests before they are sent and responses after received. Do you think they could be used to fix this case?

[DanielVF]

Yes, hooks look like they would allow me to globally change the behavior for my application.

Still might be nice to change the default marty behavior to send browser cookies on requests, though.

[jhollingworth]

I'd like to avoid changing the existing behaviour if possible. If we're quietly modifying the expected behaviour of fetch this could confuse some people. If this becomes a recurring request then I will reconsider

Thanks!

[jhollingworth]

I'm going to back track on my previous comment. #209 adds an http hook which sets credentials to 'same-origin'. This will be introduced in Marty v0.9

[DanielVF]

Great! Thanks!