- From: Lukasz Anforowicz <notifications@github.com>
- Date: Wed, 17 Apr 2019 21:28:29 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 17 April 2019 21:28:53 UTC
This bug is motivated by https://crbug.com/952834 where Chromium's implementation of the Cross-Origin-Resource-Policy has incorrectly applied to downloads triggered by Save-Link-As context menu. IMO such downloads should be considered browser-initiated (since triggering them requires going through trusted browser UI [the context menu]). Such download requests use [mode](https://fetch.spec.whatwg.org/#concept-request-mode) set to `no-cors` which makes them subject to CORP (FWIW, I don't think `navigate` mode should be used for downloads and I don't see a separate mode just for downloads). I note that the concept of "browser-initiated" requests is not well defined in specs today (I think). See also "[Directly User-Initiated Requests](https://mikewest.github.io/sec-metadata/#directly-user-initiated)" discussed for [`Sec-Fetch-Site: none`](https://mikewest.github.io/sec-metadata/#sec-fetch-site-header) /cc @mikewest @annevk @youennf @johnwilander @csreis -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/896
Received on Wednesday, 17 April 2019 21:28:53 UTC