Re: [whatwg/fetch] should fetch() allow no-cors cross-origin HEAD request? (#278) from Anne van Kesteren on 2016-04-27 (public-webapps-github@w3.org from April 2016)

From: Anne van Kesteren <notifications@github.com>
Date: Tue, 26 Apr 2016 21:44:06 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc:
Message-ID: <whatwg/fetch/issues/278/214968564@github.com>

The argument is mostly that if we have an opaque blob coming from the server, then being able to modify that (by removing its underlying body) is a violation of the same-origin policy.

I don't have a proof of attack, just a theoretical hunch that this is wrong and might cause problems at some point.

It's certainly wrong if you can cut the body part-way through, see https://github.com/domenic/cancelable-promise/issues/4, e.g., that would allow importing scripts but only execute the bits you like.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/278#issuecomment-214968564

Received on Wednesday, 27 April 2016 04:44:33 UTC