[fetch] mixed content and CSP checks should be run after SW handles fetch event (#77) from Ben Kelly on 2015-07-10 (public-webapps-github@w3.org from July 2015)

From: Ben Kelly <notifications@github.com>
Date: Thu, 09 Jul 2015 18:06:58 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/77@github.com>

Currently Main Fetch step 4 says:

  "If should fetching request be blocked as mixed content or should fetching request be blocked as content security returns blocked, set response to a network error."

This is designed to honor mixed content and CSP restrictions.

These checks, however, are dependent on the request context of the fetch.  In the case of a SW handling a fetch event, it may perform a fetch() with a "fetch" request context which is different than the FetchEvent.request's context.  This means the resulting Response may end up violating the intercepted network interceptions mixed content and CSP rules.

I think HTTP fetch step 2.2 needs to perform the same mixed content and CSP checks using the original FetchEvent.request's context and the returned Response's tainting.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/77

Received on Friday, 10 July 2015 01:07:26 UTC