- From: Yutaka Hirano <notifications@github.com>
- Date: Thu, 28 Nov 2019 22:36:59 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 29 November 2019 06:37:01 UTC
I am (again) proposing the following: - Restrict the feature for secure contexts. We have no checks for same-origin requests, which means we want some reasons to trust the same-originness. Without TLS an attacker can use this feature to attack servers not ready for it. - Have a new HTTP header attached to CORS preflight. With the header we'll be sure that both the client and the origin server are ready for this feature. We don't need to rely on the use of H2 to exchange the signal. These don't cover the proxy problem @mnot mentioned, but with TLS the server side developer should have contacts to proxies - because at least they share the certificate. Hence asking server side developers to ensure that the streaming upload feature can be used for their service sounds reasonable to me. What do you think? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/966#issuecomment-559676518
Received on Friday, 29 November 2019 06:37:01 UTC