Re: [whatwg/fetch] consider failing same-origin fetch requests that get a cross-origin cors Response synthesized by a service worker (#629) from Anne van Kesteren on 2017-11-08 (public-webapps-github@w3.org from November 2017)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 08 Nov 2017 08:44:50 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/629/342749358@github.com>

> Consider a manual redirect Request.

We enforce the restriction here because the caller (well, at least one of them: navigation) cannot deal with a different URL.

> I think we should consider using the Request.url if the Response.url is cross-origin and the Request.mode is same-origin.

That seems rather dangerous if the implementation is indeed still making authority decisions based on the request URL rather than the response concept. It would mean that certain headers normally not exposed through CORS might inadvertently end up being exposed.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/629#issuecomment-342749358

Received on Wednesday, 8 November 2017 08:45:13 UTC