Re: [slightlyoff/ServiceWorker] Foreign fetch vs non-credentialed requests (#878) from Ben Kelly on 2016-04-15 (public-webapps-github@w3.org from April 2016)

From: Ben Kelly <notifications@github.com>
Date: Fri, 15 Apr 2016 07:31:39 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/878/210483987@github.com>

I thought allowing B to send credentialed requests for things like fonts hosted on B created a tracking issue.  Is this not the case?  In fact it seems B could send credentialed requests to C to track the user, which is not something the server could do.

> A thing we could add for defense-in-depth is more registration options. Optin for methods, headers, credentials, etc. so you don't have to write JavaScript to filter out the "bad" requests.

Yes, this is basically what I'm asking for in issue #880.  Some basic protections against potentially dangerous requests that you should opt-in to.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/878#issuecomment-210483987

Received on Friday, 15 April 2016 14:32:16 UTC