- From: youennf <notifications@github.com>
- Date: Wed, 30 May 2018 08:42:01 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 30 May 2018 15:42:22 UTC
> well, i'm concerned about somebody managing to set up a rogue serer at a.example.com:8080 that can then grant access to resource on a.example.com I am not sure how typical it is to not be able to control a.example.com:8080 if controlling a.example.com. There is the potential use case of a public website hosted in 80/443 and the website admin hosted in different ports. In that case, the port restriction for same-site might initially make sense for the public website. But it might make more sense to have the website admin be marked as same-origin, in which case the public website could remain 'same-site'. Not checking the ports would allow the admin website to access public web site resources. If we add support for a list of origins in the future, it is also somehow feasible to define same-site-with-port-check directly. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-393210918
Received on Wednesday, 30 May 2018 15:42:22 UTC