[ServiceWorker] openWindow(url)'s same origin check should be done against the origin of the final response's url? (#646) from Jungkee Song on 2015-03-09 (public-webapps-github@w3.org from March 2015)

From: Jungkee Song <notifications@github.com>
Date: Sun, 08 Mar 2015 22:47:09 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/646@github.com>

Pointed out by @inexorabletash at https://codereview.chromium.org/984853003/diff/1/content/browser/service_worker/service_worker_version.cc#newcode1155:
> An on-origin request could end up redirecting to an off-origin location. An off-origin request could
end up redirecting to an on-origin - even controlled - location.

We're currently check it against the origin of the original request's url. (step 5.4 of [openWindow](https://slightlyoff.github.io/ServiceWorker/spec/service_worker/index.html#clients-openwindow)) Should we check it against the origin of the final response's url?

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/646

Received on Monday, 9 March 2015 05:47:35 UTC