- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 21 Apr 2017 06:48:32 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 21 April 2017 13:49:08 UTC
@sleevi if the request is identical to what can be achieved by `img` I agree that SOP is not violated. If however there are request headers there that are outside of what `img` or `XMLHttpRequest` or `fetch()` can generate I'd argue SOP would be violated. (I don't think whether the data is made available matters (that is what CORS on the response is for, not a CORS preflight), cookies don't matter (we don't allow requests without credentials to do more), Fetch not being used doesn't matter (it's still a request resulting from user action in the browser).) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/530#issuecomment-296195374
Received on Friday, 21 April 2017 13:49:08 UTC