- From: Jake Archibald <notifications@github.com>
- Date: Thu, 04 Aug 2016 02:28:16 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Thursday, 4 August 2016 09:28:48 UTC
Yeah, we're not doing this as it turns a small XSS into a huge long-term issue. If we allowed something like this, the controlled origin would need to opt into it somehow, maybe via something like CSP. It seems like `importScripts(crossOriginURL)` already provides this opt-in in a much simpler way. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/940#issuecomment-237501449
Received on Thursday, 4 August 2016 09:28:48 UTC