- From: Ilya Grigorik <notifications@github.com>
- Date: Fri, 03 Jun 2016 13:20:30 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
Received on Friday, 3 June 2016 20:20:56 UTC
> web developers have to expect incoming requests with any value from a 3rd party attacker since such an attacker can use fetch() or XHR to submit such requests I guess you could (should?) extend that same statement to any request (3rd party or not), since any script included on the page (regardless of origin), or introduced due to XSS vector/etc, could carry a value with some harmful side effects. @annevk @mnot any thoughts on this one? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/313#issuecomment-223684066
Received on Friday, 3 June 2016 20:20:56 UTC