Re: [whatwg/fetch] Take tainted origin flag into account for the same origin check (#834) from Dominic Farolino on 2018-11-19 (public-webapps-github@w3.org from November 2018)

From: Dominic Farolino <notifications@github.com>
Date: Mon, 19 Nov 2018 09:22:48 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/834/c439973363@github.com>

Ok so my understanding is that this spec change will make A -> B -> A "no-cors" `<img>` responses "opaque", thus asserting the behavior in https://github.com/web-platform-tests/wpt/pull/14112. Having a way for HTML to poke through would allow browsers to avoid that if they wanted. FWIW Chrome is OK with this change, but will collect some metrics before implementation to see if it might break things.

So I guess if we can get all browsers on board then we wouldn't need to add prose allowing HTML to effectively get around the opaqueness of the response?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/834#issuecomment-439973363

Received on Monday, 19 November 2018 17:23:10 UTC