- From: Mike West <notifications@github.com>
- Date: Mon, 23 Apr 2018 07:58:35 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 23 April 2018 08:00:01 UTC
@TanviHacks: If we change step two of your example to "siteB embeds an `<iframe src=siteB>`...", then I think we've already accepted this risk via `X-Frame-Options: ALLOW-FROM ...` and `Content-Security-Policy: frame-ancestors ...`. It's not clear to me that there's new capability created by enabling similar functionality for non-frame subresources. If we decide that we don't want to accept that risk, perhaps we could resolve this by failing closed in the presence of `no-referrer`. That is, if a page sets `no-referrer`, then any `From-Origin` value will fail. That should make it difficult to use these headers to detect a specific site, as all sites, same-origin or not, will fail the check. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-383487795
Received on Monday, 23 April 2018 08:00:01 UTC