- From: Ben Kelly <notifications@github.com>
- Date: Thu, 18 Jan 2018 01:12:09 +0000 (UTC)
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 18 January 2018 01:12:32 UTC
> response was cross-origin
@shhnjk, what is this cross-origin compared to? The client initiating the request? Or the document/stylesheet initiating the request?
I'm just curious if we care about the case where we have:
1. Document with origin foo.com load stylesheet "foo.com/A.css"
2. Stylesheet "foo.com/A.css" does `@import("bar.com/B.css")`
2. Stylesheet "bar.com/B.css" does `@import("foo.com/C.css")`
Is the "foo.com/C.css" load considered same-origin or cross-origin for the purposes of this check? If its considered same-origin then it seems some information about the cross-origin "bar.com/B.css" has been leaked.
The situation is similar to how we handle CORS and redirects. Once you redirect through a cross-origin that request is tainted as cross-origin even if its redirects back to same-origin.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/719#issuecomment-358504301
Received on Thursday, 18 January 2018 01:12:32 UTC