- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 28 Feb 2019 17:31:30 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 28 February 2019 17:31:53 UTC
See also #870. There's many Content-Type values that'll be happily parsed as script. For option 2: 1. I think we should figure out to what extent cross-origin style sheets are a problem. It would be interesting to know how many Chrome fetches that lack a `Content-Type` header or have a `Content-Type` header value that cannot be parsed. (Otherwise a strict match for `text/css` is required.) https://bugzilla.mozilla.org/show_bug.cgi?id=1531405 tracks this idea in Firefox. 2. For the subset of JavaScript fetches that lack or have an improper `Content-Type` header it might be feasible to "validate" it in a separate process by running a parser. This would slow them down and a valid MIME type could be used to get out of that. 3. I think requiring CORS for new "types" is very reasonable and we already successfully did that for JavaScript modules. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/721#issuecomment-468363310
Received on Thursday, 28 February 2019 17:31:53 UTC