- From: Ben Kelly <notifications@github.com>
- Date: Tue, 07 Jun 2016 08:50:33 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc:
Received on Tuesday, 7 June 2016 15:51:00 UTC
If a site only tests with GET requests and just blanket passes requests through with respondWith(evt.request). Once they go through the foreign fetch they are considered from the new origin, past the CORS boundary. If some sends a POST with a dangerous header this naive foreign fetch SW script will send it to server without any pre-flight. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/880#issuecomment-224324474
Received on Tuesday, 7 June 2016 15:51:00 UTC