Re: [fetch] redirecting from same-origin to cross-origin CORS with userpass should fail (#112) from Ben Kelly on 2015-08-20 (public-webapps-github@w3.org from August 2015)

From: Ben Kelly <notifications@github.com>
Date: Thu, 20 Aug 2015 05:13:16 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/112/132988157@github.com>

> I ended up checking both the CORS flag and the mode. Otherwise cross-origin to same-origin would not be covered.

Can you describe the case you are talking about here?  Wouldn't it be better to change this to use CORS mode as well?

> If the CORS flag is set and locationURL's origin is not same origin with request's current url's origin, set request's origin to an opaque identifier. 

Then there is no "cross-origin to same-origin" any more since you can't get "same-origin" to match the opaque identifier.

This is effectively what gecko does as well using a "have I ever been cross-origin" flag.  Again, this does not depend on being redirected from cross-origin to be set.  Its just the first time a cross-origin URL is evaluated regardless of the redirect source.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/112#issuecomment-132988157

Received on Thursday, 20 August 2015 12:13:43 UTC