Re: [whatwg/fetch] Define Cross-Origin-Resource-Policy response header (#733) from Anne van Kesteren on 2018-06-18 (public-webapps-github@w3.org from June 2018)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 18 Jun 2018 03:12:38 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/733/review/129500957@github.com>

annevk commented on this pull request.



> +
+  <p class=note>This means that `<code>Cross-Origin-Resource-Policy: same-site, same-origin</code>`
+  ends up as <b>allowed</b> below as it will never match anything. Two or more
+  `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` headers will have the same effect.
+
+ <li><p>If <var>policy</var> is `<code>same-origin</code>`, then return <b>blocked</b>.
+
+ <li>
+  <p>If the following are true
+
+  <ul class=brief>
+   <li><var>request</var>'s <a for=request>origin</a>'s <a for=url>host</a> is <a>same site</a> with
+   <var>request</var>'s <a for=request>current url</a>'s <a for=url>host</a>
+   <li><var>request</var>'s <a for=request>origin</a>'s <a for=url>scheme</a> is
+   "<code>https</code>" or <var>response</var>'s <a for=response>HTTPS state</a> is
+   "<code>none</code>"

That doesn't seem equivalent as it doesn't clearly evaluate to a boolean.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/733#discussion_r196027409

Received on Monday, 18 June 2018 10:13:03 UTC