- From: Jun <notifications@github.com>
- Date: Thu, 18 Jan 2018 02:17:26 -0800
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 18 January 2018 10:17:51 UTC
>what is this cross-origin compared to? The client initiating the request? Or the document/stylesheet initiating the request?
Client. We should not check same-origin/cross-origin based on stylesheet.
>I'm just curious if we care about the case where we have:
1 Document with origin foo.com load stylesheet "foo.com/A.css"
2 Stylesheet "foo.com/A.css" does @import("bar.com/B.css")
3 Stylesheet "bar.com/B.css" does @import("foo.com/C.css")
Is the "foo.com/C.css" load considered same-origin or cross-origin for the purposes of this check? If its considered same-origin then it seems some information about the cross-origin "bar.com/B.css" has been leaked.
Step 3:
Initiaor: "bar.com/B.css"
Initiaor was fetched with "no-cors": true
Initiator was cross-origin: true
return null
So this will not leak the info. But SW point of view, you might want to serve it from cache though. My solution is based on security not performance.
BTW, `Add "css" (and "worker" if required) in request initiator` might not be required. we just need to check the intiator's destination was "style" (or "worker").
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/719#issuecomment-358601539
Received on Thursday, 18 January 2018 10:17:51 UTC