- From: Ben Kelly <notifications@github.com>
- Date: Thu, 09 Feb 2017 12:10:18 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 9 February 2017 20:10:53 UTC
AFAICT the spec currently does a pre-request CSP check at step 3 of Main Fetch and a post-response CSP check at step 16 of Main Fetch. Between those two points the request could have traversed any number of redirects. Shouldn't CSP like `connect-src 'self'` prevent an xhr or fetch() from traversing a cross-origin redirect? Also, can someone verify what should be returned in the case of a redirect CSP failure? Should the entire request result in a NetworkError or should the last 30x response before the policy failure be returned? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/485
Received on Thursday, 9 February 2017 20:10:53 UTC