- From: Lukasz Anforowicz <notifications@github.com>
- Date: Mon, 30 Apr 2018 12:17:01 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 30 April 2018 19:17:24 UTC
anforowicz commented on this pull request. > +<var>response</var> to <var>request</var> be blocked due to CORB?</h4> + +<p>Run these steps: + +<ol> + <li><p>If <var>request</var>'s <a for=request>initiator</a> is "<code>download</code>", then return + <b>allowed</b>. + <!-- XXX If we recast downloading as navigation this step can be removed. --> + + <li> + <p>If <var>request</var>'s <a for=request>current url</a>'s <a for=url>origin</a>'s + <a for=url>scheme</a> is not an <a>HTTP(S) scheme</a>, then return <b>allowed</b>. + + <p class="note no-backref">Checking the <a for=url>scheme</a> of <a for=request>current url</a>'s + <a for=url>origin</a>, rather than of <a for=request>current url</a>'s itself, ensures that + <code>blob:</code> URLs are handled correctly. You're right - even without CORB cross-origin blob access is blocked today (at least in Chromium, as [I recently learned](https://chromium-review.googlesource.com/c/chromium/src/+/922282#message-d997da26d542bc537a9f37b26f60eb69c18a5f08)). I think this note should simply be removed from the PR. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/686#discussion_r185081911
Received on Monday, 30 April 2018 19:17:24 UTC