Re: [whatwg/fetch] Response filter escalation (#535) from jugglinmike on 2017-05-02 (public-webapps-github@w3.org from May 2017)

From: jugglinmike <notifications@github.com>
Date: Tue, 02 May 2017 10:58:37 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/535/298712333@github.com>

Doesn't it also mean that header information (and possibly authentication information) would be exposed for those cross-origin requests?

For context: Firefox currently un-wraps the response and re-wraps according to the "outer" request's tainting. Chromium follows the letter of the specification. I wrote a demonstration test here:

https://github.com/w3c/web-platform-tests/compare/master...bocoup:fetch-filtering-escalation-demo

I haven't determined whether Firefox observes any sort of filter "precedence", or if it consistently re-wraps.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/535#issuecomment-298712333

Received on Tuesday, 2 May 2017 17:59:11 UTC