- From: Ben Kelly <notifications@github.com>
- Date: Wed, 27 Apr 2016 18:49:00 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc:
Received on Thursday, 28 April 2016 01:49:30 UTC
Handle Fetch step 12.1 says this for non-subresource requests: > If client is not a secure context, return null. The client in this case is the window that initiated the request. For some cases this makes sense. For example, a nested iframe making the request to load its document. This check should prevent an insecure parent document from creating a nested https iframe in order to postMessage() to the server. That's good. It doesn't seem to make sense, though, for things like navigations. If I'm on http://foo.com and follow a link to https://bar.com, I should totally be able to get an intercepted and controlled https://bar.com. Can we just use the concept of "reserved" or "target" Client here instead? I think maybe "target" client would be right. (Assuming an about:blank in a new tab would pass the secure context check by being a local url.) --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/890
Received on Thursday, 28 April 2016 01:49:30 UTC