- From: John Wilander <notifications@github.com>
- Date: Thu, 07 Jun 2018 13:32:00 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 7 June 2018 20:32:24 UTC
> Scheme checking for same-site > A no-cors HTTP resource loaded from an HTTPS context might remain popular and there are already ways to fix related security issues. It seems good to have CORP/same-site allowing it. > A no-cors HTTPS resource loaded from an HTTP context might not be as popular now and seems harmful, even in the long run. Maybe we can try disallowing this case. I agree with Youenn here. The scheme matching case that worries me the most is http images on https pages. We know that is common and we're struggling with how to evolve mixed content blocking for that case too. The reverse doesn't worry me, i.e. requiring a scheme match for https resources on an http page if the https resource says same-site. The resource is clearly more secure than the page and so its policy response should protect it from ending up in a non-secure context. The only downside I see there is increased complexity, similar to how the referrer header gets stripped in http-to-https transitions. Developers have struggled to understand that for two decades. :/ -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-395555063
Received on Thursday, 7 June 2018 20:32:24 UTC