- From: youennf <notifications@github.com>
- Date: Mon, 07 May 2018 05:23:31 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 7 May 2018 05:24:00 UTC
There are some tests available in WebKit that should be converted to WPT. I guess this is on WebKit team plate. There are some points that might be nice to iron out: - As pointed out by dan, X-Frame-Options behavior is currently not consistent with From-Origin checks for iframe loading. Maybe that is fine but we need to confirm this for sure. - Service Worker interaction. WebKit does the From-Origin check for resources fetched for HTTP. The same check is not yet implemented for resources served through a service worker (which I guess would have no ancestor). - WebKit From-Origin checks do also happen for CORS mode loads. A valid CORS response might fail From-Origin check due to one of its ancestor. I wonder whether this might not make deployment of From-Origin more difficult if there is no way to limit From-Origin check to the document and not the whole ancestor chain. - I believe that loads made from data URL iframes fail any WebKit From-Origin check. Maybe "From-Origin: null, example.com" should be expected to pass. Or maybe there should be some specific handling of data URL iframes. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-386960231
Received on Monday, 7 May 2018 05:24:00 UTC