- From: youennf <notifications@github.com>
- Date: Thu, 07 Jun 2018 13:18:20 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 7 June 2018 20:18:42 UTC
LGTM to have this as v1. I think we can continue the two items that are under discussion as follow-up issues. Here is my personal thinking on the these two items. 1. Add a list of origins in addition to same-origin and same-site This seems fine as long as it stays very simple, meaning simple string matching like done for ACAO for each origin. Maybe same-site+a list of origins is something we could consider too, I am not sure. 2. Scheme checking for same-site A no-cors HTTP resource loaded from an HTTPS context might remain popular and there are already ways to fix related security issues. It seems good to have CORP/same-site allowing it. A no-cors HTTPS resource loaded from an HTTP context might not be as popular now and seems harmful, even in the long run. Maybe we can try disallowing this case. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-395551229
Received on Thursday, 7 June 2018 20:18:42 UTC