Re: [ServiceWorker] Prevent opaque requests being used in response to client requests (#590)

For client requests related to workers this is not possible since those require same-origin responses. I guess the mode for "form" et al is "no-cors" so we do indeed have an issue of sorts there.

Is anything but opaque response okay in those scenarios? E.g. if the SW passes a CORS response back the UA would need to enforce the CORS filtered response limitations otherwise you could embed something in an `<iframe>` and get more data out of it.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/590#issuecomment-66782906

Received on Friday, 12 December 2014 15:01:07 UTC