[fetch] Should fetch(evt.request) send original RequestDestination and RequestType? (#262) from Ben Kelly on 2016-03-23 (public-webapps-github@w3.org from March 2016)

From: Ben Kelly <notifications@github.com>
Date: Wed, 23 Mar 2016 08:03:32 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/262@github.com>

While reviewing some gecko related code I noticed that step 8 of the Request constructor copies most values, but does not copy RequestDestination or RequestType:

  https://fetch.spec.whatwg.org/#dom-request

This means that a service worker that does `fetch(evt.request)` will make a network request with the default destination and type.  This is significant because CSP checking uses these attributes in order to enforce things like child-src, etc.

Is this intentional?  It would seem to break CSP on SW passthrough requests.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/262

Received on Wednesday, 23 March 2016 15:04:09 UTC