- From: Ryosuke Niwa <notifications@github.com>
- Date: Thu, 12 Apr 2018 18:44:01 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 12 April 2018 18:44:26 UTC
Using the same syntax as CSP sounds good. While there are many considerations to take with respect to Spectre, why don't we start from the simplest form of the proposal? **Starting point:** `From-Origin` response header, if set, prevents the resource with this header from being loaded in the origin not specified by the header. Now let's define the semantics before syntax. First off, can we all agree that this response header should apply to all resource types? HTML, CSS, images, etc...? Can we also agree that this should affect all types of resource loads? `img` element, `script` element, sync & async XHR, fetch, etc... Then we need to decide what it means to be loaded in a document of an origin. There are a few options here: 1. Check all ancestor frames are of the specified origins 2. Check only the origin of the document in which the resource is loaded 3. Check only the origin of the top-level document in which one of the subframes' document loads this resource 4. Check the origin of all frames in the same tab/window, and refuse to load if one of the origins don't match. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-380905854
Received on Thursday, 12 April 2018 18:44:26 UTC