Re: [whatwg/fetch] Cross-Origin Read Blocking (CORB) (#681) from Ziyad Parekh on 2018-12-07 (public-webapps-github@w3.org from December 2018)

From: Ziyad Parekh <notifications@github.com>
Date: Fri, 07 Dec 2018 22:21:45 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/681/445383891@github.com>

I just ran into an issue with CORB using the fetch api. I understand the security implications of blocking third party extensions/javascript from reading sensitive mime types when coming in to the client's browser. My questions are:
1. If we shift the request server side and then send the response back to the client via the same origin, how does that stop third party js from intercepting and reading the response?

2. How do ad scripts still load json/html/js on pages even though they are obviously cross origin requests?

Would appreciate any help in shining light on these 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/681#issuecomment-445383891

Received on Friday, 7 December 2018 22:22:19 UTC