- From: Jake Archibald <notifications@github.com>
- Date: Sun, 13 May 2018 17:51:14 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 14 May 2018 00:51:36 UTC
@anforowicz
> "destination" might not always be available (not sure if the "network service" in Chromium will be aware of it - I think it tries to shy away from any content::ResourceType knowledge) or trustworthy (the renderer can just lie). Therefore, I'd rather avoid using the "destination" for a decision here.
That step's more of an early-exit. It'll also be handled in the later steps in case of `fetch(url, { mode: 'no-cors' })`.
> I don't understand why we'd switch this approach to sniffing for allowed resources:
Isn't it better to further limit the amount of no-cors data that can end up in the process? It just seems like no-cors is a source of so many security issues, so trying to restrict it as much as possible seems like a good thing.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/721#issuecomment-388669289
Received on Monday, 14 May 2018 00:51:36 UTC