- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 05 Aug 2016 05:21:18 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Friday, 5 August 2016 12:24:14 UTC
Although technically this could lead to exfiltration, that is already possible through `<iframe>`. So the protection the standard has is largely theoretical, moot in practice, and not implemented in browsers. Since request's origin is only reset during redirects for CORS, fixing this shouldn't be too tricky. Need to decide whether to simply set response tainting to basic or move to a different concept altogether. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/357
Received on Friday, 5 August 2016 12:24:14 UTC