- From: sleevi <notifications@github.com>
- Date: Fri, 21 Apr 2017 06:09:24 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/530/296185982@github.com>
@annevk I fail to see how you believe SOP is violated, given that the data is not made available to the page, the cookies are not used, Fetch is not used (they literally use different network stacks), that it's shared among all applications (arbitrary apps can write into the cache), and shared among users. You're taking this view of the primacy of the browser and I'm telling you that it isn't. This is the same context for WebCrypto that caused it to be delayed several years - because no one, besides Mozilla and (for unrelated reasons) Chrome, wanted to or is willing to do Crypto in the browser itself. That is, the spec has to conform to the system capabilities, not the other way around. The verification of a certificate is a black box input to the Web Platform. Certs go in, an answer comes out. That is quite literally the interface on some platforms. Reimplementing all of that solely in order to explain the platform is unlikely to find any support, except for perhaps Firefox, whose fetching of anything is itself new. On the other bug, you've suggested it was to protect intranet pages, but that isn't clear how that's achieved, given you can just use an img tag to synthesize the GET request. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/530#issuecomment-296185982
Received on Friday, 21 April 2017 13:10:00 UTC