From 24a8670f43a2efbd0a731b77a4d19363c8751b8e Mon Sep 17 00:00:00 2001
From: "Michael[tm] Smith" <mike@w3.org>
Date: Mon, 1 Mar 2021 15:53:48 +0900
Subject: [PATCH] Clarify that RequestInit's credentials affects response

Follow-up to 00344d2296658f9dcf5e3f5cdcebebd2f3a4d102 to state something equivalent for the API. Also state the default when input is a string for credentials and mode.
---
 fetch.bs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 917145574..c77dba159 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -5923,11 +5923,15 @@ object), initially null.
 
    <dt>{{RequestInit/mode}}
    <dd>A string to indicate whether the request will use CORS, or will be restricted to same-origin
-   URLs. Sets <var>request</var>'s {{Request/mode}}.
+   URLs. Sets <var>request</var>'s {{Request/mode}}. If <var>input</var> is a string, it defaults to
+   "<code>cors</code>".
 
    <dt>{{RequestInit/credentials}}
    <dd>A string indicating whether credentials will be sent with the request always, never, or only
-   when sent to a same-origin URL. Sets <var>request</var>'s {{Request/credentials}}.
+   when sent to a same-origin URL — as well as whether any credentials sent back in the response
+   will be used always, never, or only when received from a same-origin URL. Sets
+   <var>request</var>'s {{Request/credentials}}. If <var>input</var> is a string, it defaults to
+   "<code>same-origin</code>".
 
    <dt>{{RequestInit/cache}}
    <dd>A string indicating how the request will interact with the browser's cache to set