- From: larson reever <notifications@github.com>
- Date: Thu, 04 Apr 2019 23:40:37 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 5 April 2019 06:40:58 UTC
There are already extensions that e.g. disable X-Frame-Options; I worry that use of such would become more widespread if CSP is seen as something that breaks the web - to no security benefit for the user - by blocking third-party font and image loads.Only WPT failure seems to be related to case-insensitive comparison of the value. WebKit currently allows SAME-ORIGIN. It does not seem that we have yet added tests for HTTP same origin loads from HTTPS contexts. We should probably be consistent no matter whether the load destination is Document or not. I guess that we could either fail or return an empty response. This seems to be a good topic to discuss in whatwg/fetch/github Thanks Security Advisor @WPHH -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-480165580
Received on Friday, 5 April 2019 06:40:58 UTC