- From: Yoav Weiss <notifications@github.com>
- Date: Fri, 10 Feb 2017 05:37:29 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 10 February 2017 13:38:04 UTC
Doesn't an empty destination let you circumvent CSP in similar ways? Preload's implementation in Blink/WebKit currently prevents that by using the same request pipelines that prevent such "type-mismatch reuse" on regular resource requests. (so that `<img src=foo><script src=foo></script>` send out two different requests, at least as far as the rendering engine is concerned). I'm not aware of those pipelines and checks being specced anywhere. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/486#issuecomment-278943472
Received on Friday, 10 February 2017 13:38:04 UTC