Re: [fetch] Navigate likely needs to be "no-cors" after all, need to update security checks (#126) from Ben Kelly on 2015-09-17 (public-webapps-github@w3.org from September 2015)

From: Ben Kelly <notifications@github.com>
Date: Thu, 17 Sep 2015 10:41:46 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/126/141162881@github.com>

> (Having said that, per another suggestion it might already branch on mode and redirect mode. So I'm not sure how consistent we'd be if we did that too.)

* The thing that determines if you get an opaqueredirect response is RequestRedirect.
* The thing that determines if you get an opaque response is RequestMode.

In both cases, checking the Response type based on the Request attribute which determines if you get that Response type seems natural to me.

Setting navigation request to "no-cors" RequestMode implies that opaque responses should be allowed.  But we don't allow them, because what we really mean is same-origin, but we can't use that because it forces the origin header which isn't right for navigations.  None of the current RequestMode values really fits for navigations.

To me that really suggests we need a new RequestMode for navigations.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/126#issuecomment-141162881

Received on Thursday, 17 September 2015 17:42:16 UTC