- From: Jake Archibald <notifications@github.com>
- Date: Wed, 12 Jul 2017 08:40:40 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 12 July 2017 15:41:12 UTC
It seems like browsers will allow a 206 partial response to a `<script src>`. As in, it will execute the script, which this PR would prevent. The current behaviour seems weird to me. The level of risk is unclear, but if a server could be tricked into thinking your request is a range request (via query string params), and produces a partial response, it could result in data leaking. With a service worker involved, it means you could take an opaque partial response (from a request generated by a media element) and use it in response to a script fetch. Again, there's a potential for data leak. Should I try to find a way to preserve browser behaviour here, or go ahead and change it? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/560#issuecomment-314809636
Received on Wednesday, 12 July 2017 15:41:12 UTC