- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 03 Jul 2015 01:51:00 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Friday, 3 July 2015 08:51:27 UTC
Per our current set of definitions a service worker reveals what resources a "no-cors" CSS stylesheet attached to a document loads. In particular this can leak confidential tokens in the URLs. Entered the public record here: http://krijnhoetmer.nl/irc-logs/whatwg/20150703#l-286 According to @jakearchibald resource timing (paging @igrigorik) did this first, in both Chrome and Firefox. I think we should revert both, seems like bad precedent to cut more holes in SOP. --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/719
Received on Friday, 3 July 2015 08:51:27 UTC