Re: [ServiceWorker] spec should be more explicit about accessing internal body on opaque Responses (#710) from Ben Kelly on 2016-03-10 (public-webapps-github@w3.org from March 2016)

From: Ben Kelly <notifications@github.com>
Date: Thu, 10 Mar 2016 07:39:38 -0800
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/710/194909927@github.com>

> I'm worried about changing opaque responses. I'd appreciate input from security folks since this changes the same-origin policy. I would probably throw for the latter case as I suggested earlier.

Also, I really don't understand the security concerns.  We're already hiding opaque response bodies from script.  All removing the body on HEAD does it further hide the body from the browser.  Removing information seems generally safe.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/710#issuecomment-194909927

Received on Thursday, 10 March 2016 15:40:16 UTC