- From: John Wilander <notifications@github.com>
- Date: Mon, 16 Apr 2018 16:56:24 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 16 April 2018 16:57:08 UTC
> For example, the situation you described seems to lead to a cross-origin information leak: evil.com can now infer if a frame from victim.com is loaded anywhere in its current process by returning different From-Origin values for its resources and seeing if they render, even if it doesn't have a reference to the victim.com window or its parent. Interesting. Yes, that is an issue to consider. > Aside from security concerns, such "action at a distance" may lead to unexpected application failures, and doesn't seem easy to test for or debug. Agreed. I'm mostly thinking of strict mode as "the big hammer" for cases where a leak is catastrophic and site breakage is tolerable. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-381674301
Received on Monday, 16 April 2018 16:57:08 UTC