- From: Mike West <notifications@github.com>
- Date: Sun, 20 May 2018 22:17:52 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/687/390555524@github.com>
> I think `From-Origin` (or whatever we call it) should apply to redirect responses. I think this is a reasonable direction to move in. To the extent possible, we should give developers the ability to exclude redirect responses from potentially compromised cross-origin processes. > Some WebKittens talked about this and are agreeing on the following direction: These seem reasonable from my perspective. Regarding "Support same/same-site values", though, I'd point again at @arturjanc's suggestion that `same` and `same-site` isn't going to be granular enough for applications with interesting cross-origin relationships. > To be noted that, if the check fails, WebKit will fail the load. As you note, CORB does not fail the load, but instead delivers a filtered response. I don't have a strong feeling about which behavior we ought to end up with, but I do think that diverging would be confusing. I'd prefer for us to align the response that's returned from both `From-Origin` and CORB if we're going to fold their processing model together. My intuition is that that's simpler to do by treating both as network errors, but I'm curious about the error you're interested in raising, @youennf: would you prefer to raise a `From-Origin`-specific error? If so, why? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-390555524
Received on Monday, 21 May 2018 05:18:25 UTC