- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 08 Mar 2017 07:44:15 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 8 March 2017 15:44:48 UTC
As I said above to @mnot, different client certificates don't matter, the site is protected in that case unless they opted into CORS with credentials, which is highly unlikely. The main problem is returning a cached resource that was the result of a credentialed request to a non-credentialed CORS request. (There's also advocacy, including my own from before I knew about this issue in Chrome/WebKit and the standard still suggests it, that including ACAO: * is safe as long as it's not a private resource of the intranet kind. And personally I think that should be safe, since it's such a trivial thing to do and so many sites already do it.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/307#issuecomment-285076879
Received on Wednesday, 8 March 2017 15:44:48 UTC