- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 05 Sep 2017 12:38:24 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 5 September 2017 12:38:52 UTC
Updated the title to reflect type being folded into destination, but the same general concern applies. Consider, a site safelists `image-src` requests, but not `connect-src`. This would allow you to read arbitrary third-party data with `fetch()`, despite that CSP policy. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/521#issuecomment-327162502
Received on Tuesday, 5 September 2017 12:38:52 UTC