- From: Mike West <notifications@github.com>
- Date: Fri, 12 Apr 2019 05:56:26 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 12 April 2019 12:56:48 UTC
mikewest commented on this pull request. > - <p class="note no-backref">While redirects that carry a - `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header are checked, redirects - without such a header resulting in <var>response</var> do not contribute to this algorithm. I.e., - <var>request</var>'s <a for=request>tainted origin flag</a> is not checked. + <li><p><var>request</var> is a <a>navigation request</a> whose <a for=request>reserved client</a> + is an <a for=/>environment</a> whose <a for=environment>target browsing context</a> is neither a + <a>nested browsing context</a> nor an <a>auxiliary browsing context</a>. Well, hrm. I guess that actually is a problem without process isolation. `attacker.site` could open `attacker.site` in a new window, the latter could navigate the former to `victim.site`, and sadness would ensue. Perhaps this should instead ask whether we're navigating within a unit of related browsing contexts? Or whatever the new hotness is? "User agent cluster"? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/893#discussion_r274893471
Received on Friday, 12 April 2019 12:56:48 UTC