- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 25 Apr 2017 01:04:04 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 25 April 2017 08:04:42 UTC
@sleevi when the user takes action we've already been comfortable breaking SOP. WebRTC screen sharing for instance breaks SOP all over (or did that never ship?). I want code that the browser is not required to implement to be in scope for analytical purposes. You keep talking about constraining it, but I've never made such a suggestion I think. I just want to know what's possible and to have something to contrast SOP restrictions with. E.g., if such code can request arbitrary URLs and also dictate the HTTP method or a header value of a particular HTTP header, that would be interesting information and might mean SOP is overly strict for the non-credential case. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/530#issuecomment-296952059
Received on Tuesday, 25 April 2017 08:04:42 UTC