- From: Ben Kelly <notifications@github.com>
- Date: Tue, 02 May 2017 10:59:08 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 2 May 2017 17:59:41 UTC
> I don't think the current setup has a security issue though. Yes, you can request a "no-cors" cross-origin URL and get a "basic" response back, but as far as I can tell that's all safe.
It is safe, but it seems a bit surprising to me (and I would guess devs). There is no way to get a non-opaque back from `fetch(crossOriginURL, { mode: 'no-cors' })` normally. It would be nice to keep that consistent instead of exposing an exceptional case; "always opaque, unless a service worker intercepts and does something".
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/535#issuecomment-298712459
Received on Tuesday, 2 May 2017 17:59:41 UTC