- From: Ben Kelly <notifications@github.com>
- Date: Fri, 03 Nov 2017 13:59:06 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 3 November 2017 13:59:29 UTC
Note, we may have a run into a thorny spec question with this change here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1222008#c38
Consider:
```
var xmlDoc = document.implementation.createDocument(null, null, null);
xmlDoc.load('load_cross_origin_xml_document_cors.xml');
// SW intercepts and passes a cross-origin CORS response to respondWith()
```
In this case the outer network request is set up as same-origin (at least we make that restriction for XMLDocument in gecko). What should we do in the case where the service worker synthesizes a cross-origin CORS Response? Should we expose the cross-origin URL for the DocumentURI? That seems somewhat surprising and potentially breaking.
This problem exists for other same-origin requests as well such as Worker() top level scripts, same-origin fetch(), etc.
How would people feel if we rejected the outer network request if you synthesized a cross-origin Response onto a same-origin Request?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/146#issuecomment-341710548
Received on Friday, 3 November 2017 13:59:29 UTC