- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 09 Nov 2017 11:14:42 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 9 November 2017 11:15:11 UTC
I think you're reading way more into the couple points I made and copying folks interested in security than was meant. https://github.com/whatwg/meta/blob/master/GITHUB-TEAMS.md might help. I think that changing the URL of a resource is problematic, more so than changing its origin (can also be done through sandboxing), as it ends up breaking relative URLs. If you do this explicitly through a synthetic response it seems less problematic, as presumably in that case you know it to not break. I also think that a security model that puts the sole authority with the request is wrong in the world of service workers. I would be happy with rejecting CORS responses when request's mode is "same-origin". That seems better than introducing a local quirk that does not normally apply. I call it a quirk as it gives the request a strange new primitive we don't otherwise expose. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/629#issuecomment-343123987
Received on Thursday, 9 November 2017 11:15:11 UTC