- From: Takeshi Yoshino <notifications@github.com>
- Date: Tue, 20 Jan 2015 21:56:48 -0800
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Wednesday, 21 January 2015 05:57:17 UTC
@annevk Right... We're discussing this a little with our security team. As you said, @mikewest et. al are working on local/intra IP detection (http://crbug.com/378566). But it seems we're not so close to finish the work. So, to address the issue temporarily, I think we have two options for window: - a) Disallow construction of a Request with RequestInit.mode == no-cors - b) Make fetch() fulfill the returned Promise even for network error && disable Response.type attribute Only (b) works for SW. We need to dispatch no-cors requests coming from the page. It's critical. --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/581#issuecomment-70788432
Received on Wednesday, 21 January 2015 05:57:17 UTC