- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 26 Apr 2018 03:52:14 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 26 April 2018 10:52:38 UTC
Response's url list will be empty at that point, but it's set to request's url list in step 9. I wonder if we should avoid doing that for these responses since those URLs can contain confidential information about the user (esp. with redirects). However, if we did that we'd have to modify CSP to account for them as well (CSP expects a URL). No decisions are based on status message so it's probably best kept out. Response's HTTPS state is used by Mixed Content so should be preserved. Response's CSP list is used by the CSP check: https://w3c.github.io/webappsec-csp/#should-block-response. So I guess we should preserve it unless we do something special for CSP. It generally shouldn't contain user-identifiable information. Response's location URL is only used for redirects, which should fail, so probably best omitted. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/686#issuecomment-384596935
Received on Thursday, 26 April 2018 10:52:38 UTC