Re: [whatwg/fetch] consider failing same-origin fetch requests that get a cross-origin cors Response synthesized by a service worker (#629) from Ben Kelly on 2017-11-08 (public-webapps-github@w3.org from November 2017)

From: Ben Kelly <notifications@github.com>
Date: Wed, 08 Nov 2017 19:47:38 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/629/342937395@github.com>

Also I would point out the part that is appealing to security team here is the exact behavior we do for this case in SW:

```js
evt.respondWith(async function() {
  let corsResponse = await fetch(crossOriginURL, { mode: 'cors' });
  let syntheticResponse = new Response(corsResponse.body);
  return syntheticResponse;
}());
```

A cross-origin body is returned but the outer Response ends up with the Request.url.  Are you really arguing that is unsafe @annevk?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/629#issuecomment-342937395

Received on Wednesday, 8 November 2017 19:48:03 UTC