- From: Maciej Stachowiak <notifications@github.com>
- Date: Mon, 16 Apr 2018 21:30:43 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 16 April 2018 21:31:08 UTC
I think checking all frames is unnecessary. For the same/same-site case, you have to trust that you won't load dangerous third-party iframes anywhere on your site. You can self-enforce this with CSP. For the case where From-Origin specifies other origins, you have to either trust them or assume it's not a Spectre defense and just for purposes like hotlinking prevention. Another thing to think about: should From-Origin apply to no-credentials requests? Should there be a way to say "it's ok to load my resources cross-origin but not with credentials"? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-381756323
Received on Monday, 16 April 2018 21:31:08 UTC