- From: Boris Zbarsky <notifications@github.com>
- Date: Wed, 14 Nov 2018 07:08:10 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 14 November 2018 15:08:36 UTC
Say a fetch starts via <https://fetch.spec.whatwg.org/#concept-main-fetch>. Starting in step 5, we go parallel, so should be able to execute on an arbitary thread/process without touching ambient state. If the response is an HTTP redirect, we will end up in https://fetch.spec.whatwg.org/#concept-http-redirect-fetch which again calls into main fetch, but already running in parallel. But main fetch step 2.4 calls https://w3c.github.io/webappsec-csp/#should-block-request which does: > Let CSP list be request’s client’s global object’s CSP list. This is doing an unsynchronized access to the CSP list, which could be in the middle of being mutated due to a meta tag insertion or something. We need to either snapshot the CSP list when the request is created or do the redirect fetch off a task that ensures it runs when the CSP list is stable or something. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/832
Received on Wednesday, 14 November 2018 15:08:36 UTC