- From: Alex Russell <notifications@github.com>
- Date: Wed, 17 Jun 2015 18:17:50 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/66/113000638@github.com>
I can't imagine that we're leaking "too much" information here. It's visible in other ways (iframe onload handlers in some browsers, etc.). The specific issue here is 2-part: * We want to be able to "see" the redirect. Because these are collaborating origins, we can perhaps use CORS to surface the redirect, but today we don't provide any ability to handle them (or do we?). I think @kinu and @matto are going to look to see what Chrome does today in the face of a 302 + CORS today. * The other part is what to do when we get a Response which has a different origin as the URL. One option might be to allow `Response.redirect()` in the case where we can detect the eventual URL as not being on the same origin. Perhaps CORS + redirect would allow that? Another thought: one thing that Docs might be able to do in this case is to set a TTL on resposne document that's not zero if we can know the eventual URL isn't on the same origin. Hopefully if CORS+redirect can surface that, we might be able to use knowledge of the eventual URL + the browser's cache to keep from falling through to the network a second time. Thoughts? --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/66#issuecomment-113000638
Received on Thursday, 18 June 2015 01:18:20 UTC