- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 24 May 2018 04:24:59 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 24 May 2018 11:25:21 UTC
annevk commented on this pull request. > + `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` and <var>response</var>'s + <a for=response>header list</a>. + + <li><p>If <var>policy</var> is `<code>same</code>`, then return <b>blocked</b>. + + <li> + <p>If <var>policy</var> is `<code>same-site</code>` and neither of the following is true + + <ul class=brief> + <li><p><var>request</var>'s <a for=request>origin</a>'s <a for=origin>host</a> + <a>is a registrable domain suffix of or is equal to</a> <var>request</var>'s + <a for=request>current url</a>'s <a for=url>host</a> + + <li><p><var>request</var>'s <a for=request>current url</a>'s <a for=url>host</a> + <a>is a registrable domain suffix of or is equal to</a> <var>request</var>'s + <a for=request>origin</a>'s <a for=origin>host</a> Time to revisit https://github.com/whatwg/url/pull/72? I suspect having "registrable domain" and "same-site" as a primitive available will be quite useful going forward. We also need to think to what extent we want to do scheme/port-comparisons as well. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/733#discussion_r190551383
Received on Thursday, 24 May 2018 11:25:21 UTC