- From: Alan Jeffrey <notifications@github.com>
- Date: Thu, 26 Jan 2017 16:17:44 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 27 January 2017 00:18:45 UTC
In https://fetch.spec.whatwg.org/#concept-main-fetch, main fetch step 11 includes a test: > request’s current url’s origin is request’s origin and CORS flag is unset which includes an equality test between origins, but it is not clear which equality is meant. The lhs is "request’s current url’s origin", so its domain is always `null` (https://url.spec.whatwg.org/#origin). The rhs is the "request’s origi", which may be wet by https://fetch.spec.whatwg.org/#dom-request, step 7: > Let origin be current settings object’s origin. or by https://fetch.spec.whatwg.org/#concept-fetch, step 2: > If request’s origin is "client", set request’s origin to request’s client’s origin. which may have a domain. I think what's intended is that the origins are to be compared as being same-origin (https://html.spec.whatwg.org/multipage/browsers.html#same-origin) that is the domain is ignored. However, the way the spec is currently written, it looks like syntactic identity is being used, so the test will fail if the client has set `document.domain`. Should the test here be "request’s current url’s origin is **the same as** request’s origin and CORS flag is unset"? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/468
Received on Friday, 27 January 2017 00:18:45 UTC