- From: Jake Archibald <notifications@github.com>
- Date: Tue, 10 Apr 2018 11:51:05 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 10 April 2018 11:51:32 UTC
I think it's better if all "opaque" responses are CORB-checked, and CORB shouldn't depend on any information in the request. If request A can bring content from response B into evil.com's content process, then there's no point blocking any other kind of request from doing the same. As a bonus, if we're blocking based on response only, then we don't end up with problems around opaque response objects or the cache API. The sensitive information will be removed before it's written to the cache, or before the response object is created. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/686#issuecomment-380071132
Received on Tuesday, 10 April 2018 11:51:32 UTC