- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 14 Jan 2016 03:48:19 -0800
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Thursday, 14 January 2016 11:48:46 UTC
So: 1. The service worker itself is always fetched with credentials included. 1. Any foreign fetch from A to B may or may not have credentials included. 1. Whether credentials are included is exposed on the `Request` class, though in a somewhat confusing way in the context of foreign fetch. E.g., what does "same-origin" mean? 1. Although A makes the foreign fetch, only B can turn this into a network fetch. This means that to B's server, it looks like a same-origin fetch. Perhaps the answer is that B cannot give basic responses to A. Only responses that are synthetic (generated by a service worker that knows this was a foreign fetch due to the new event), CORS responses that approve of A in some manner, or responses that are turned into CORS responses through some new kind of API. This should protect B's service worker and server quite a bit. --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/pull/751#issuecomment-171621874
Received on Thursday, 14 January 2016 11:48:46 UTC