- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 12 Apr 2019 04:38:54 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/893/review/226029793@github.com>
annevk commented on this pull request. My main worry here is still that depending on how things shake out long term this could effectively be CORS, without it being clear and without the additional credentials opt-in we require there. (I.e., this is as simple to configure as `Access-Control-Allow-Origin: *` while potentially having greater risk.) > - <p class="note no-backref">While redirects that carry a - `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header are checked, redirects - without such a header resulting in <var>response</var> do not contribute to this algorithm. I.e., - <var>request</var>'s <a for=request>tainted origin flag</a> is not checked. + <li><p><var>request</var> is a <a>navigation request</a> whose <a for=request>reserved client</a> + is an <a for=/>environment</a> whose <a for=environment>target browsing context</a> is neither a + <a>nested browsing context</a> nor an <a>auxiliary browsing context</a>. This should explain why the auxiliary navigating the non-auxiliary is not a problem. > <li> - <p>If the following are true + <p>If <var>policy</var> is null, and <a>request</a>'s <a for=request>client</a>'s Is this what we want? I kinda feel like an erroneous policy should fail closed when this TBD boolean is set. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/893#pullrequestreview-226029793
Received on Friday, 12 April 2019 11:39:16 UTC