- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 04 Nov 2019 06:00:42 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 4 November 2019 14:00:44 UTC
annevk commented on this pull request. > @@ -1800,6 +1805,15 @@ initially unset. being provided to an API that didn't make a range request. See the flag's usage for a detailed description of the attack. +<p>A <a for=/>response</a> has an associated +<dfn for=response id=concept-response-timing-allow-failed-flag>timing allow failed flag</dfn>, which Should we make this flag positive? Seems better for the consumer of it. > @@ -5075,6 +5083,34 @@ agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a </ol> +<h3 id=tao-check>TAO check</h3> + +<p>To perform a <dfn id=concept-tao-check>TAO check</dfn> for a <var>request</var> and +<var>response</var>, run these steps: + +<ol> + <li><p>If <var>response</var>'s <a for=request>timing allow failed flag</a> is set, then return + failure. + + <li><p>If <var>request</var>'s <a for=request>tainted origin flag</a> is unset and + <var>response</var>'s <a for=response>location URL</a>'s <a for=url>origin</a> is + <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then return success. Okay, so this still needs changes, right? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/955#pullrequestreview-311084649
Received on Monday, 4 November 2019 14:00:44 UTC