- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 25 Apr 2018 21:36:29 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 26 April 2018 04:36:52 UTC
1 is essentially why we don't do this. See also #521. This functionality would allow an advanced XSS attack to bypass CSP and serve the response of an image (which might have "unsafe domains" safelisted) as a script. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/717#issuecomment-384510494
Received on Thursday, 26 April 2018 04:36:52 UTC