hm. fetch() has credentials: true but that includes both cookies and Authorization headers. Can I tell it to only do Authorization headers and not cookies, I wonder? Doesn't seem to be a way; you can only set credentials to true or false, not to "headers not cookies"; the server can only do Access-Control-Allow-Credentials:true, not Access-Control-Allow-Credentials:headers-only, and I can't set my own (wrong or blank) cookie header in a fetch. Bit baffled by how to proceed here.
@sil why can't you just set whatever authentication headers or cookies you need on the fetch request? Rather than relying on the browser to do that for you.
@intrbiz because if you've got cookies for that site and you turn on credentials:include on fetch, the cookies get sent. If you turn off credentials, then it won't send an Authorization header either, even if you set one. So if there are cookies present and an Auth header, you can either send both of them or neither of them with the fetch(), but you can't send one and not the other.
@sil why do you need to pass Cookies that you don't have access too?
@intrbiz 'cos in another tab, I am logged into couchdb so I can see its admin interface. What I want to do is be able to generate a fetch() request which doesn't use the cookies even though I have them, and it turns out that's impossible, which is quite annoying. It is good that fetch() has the ability to use pre-existing cookies, but I would also like to be able to turn that good behaviour off and provide my own explicit credentials and I can't.
@sil I don't think that is the case. That is controlled by CORS headers.
I definitely have apps setting a bearer token with fetch.
@intrbiz ah, fair, in detail it applies to basic auth headers, not all Authorization headers. (https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials confirms.) So eventually if I shift to bearer tokens or JWTs or something then this problem would be alleviated, but I'm not in a position to do that yet :)
@sil ahh, interesting nuance
@intrbiz because if you set credentials:false and also set an Authorization header, then your authorization header is not passed by the fetch() call even though you set it, because it's a credential.