- From: Ben Kelly <notifications@github.com>
- Date: Mon, 09 Dec 2019 08:06:57 -0800
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 9 December 2019 16:06:59 UTC
What should we do if `cache.match()` is called in a context with `Cross-Origin-Embedder-Policy: require-corp` and the Response to be returned does not have a `Cross-Origin-Resource-Policy` header? I would like to advocate that we reject the `match()` since it seems possible there could be information stored in the headers that should not be exposed to spectre attacks. Also, it seems you can have a CORS response without a CORP header that would fail the COEP check and we would not want to expose the body in that case. @mikewest @annevk @yutakahirano @makotoshimazu -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1490
Received on Monday, 9 December 2019 16:06:59 UTC