Re: [whatwg/fetch] fetch() "no-cors": cross-origin to same-origin redirect taints response (#737) from youennf on 2018-11-17 (public-webapps-github@w3.org from November 2018)

From: youennf <notifications@github.com>
Date: Fri, 16 Nov 2018 22:14:41 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/737/439592046@github.com>

Uploaded a test in https://github.com/web-platform-tests/wpt/pull/14112
According that test, Firefox and Chrome do treat A->B->A image as same origin while Safari does not. Not sure about Edge.
It might be worth authoring a similar test for scripts and stylesheets.

> That sounds exciting, though for `<img>` a workaround would likely be to use `<iframe>` which I'm 99% sure on only considers the final response for origin comparisons.

You are probably right, we probably only consider final URLs for iframes origin checks.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/737#issuecomment-439592046

Received on Saturday, 17 November 2018 06:15:02 UTC