- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 05 Mar 2019 04:55:35 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 5 March 2019 12:55:57 UTC
I chatted with @jakearchibald and I'm no longer convinced range requests are much of an issue. It seems we first always determine the type of a media resource and then any range requests will go to a fixed URL, meaning it'll only potentially "leak" content of a resource identified to be a media resource. See also https://github.com/whatwg/fetch/issues/144#issuecomment-368040980. The main thing remaining here is an exact list of file signatures we would want to safelist. And not allow extensions of that list (use CORS). @lukewagner also considers a basic JavaScript-validating function to be doable (if you don't want the performance hit, use a valid `Content-Type` or CORS). Which leaves CSS, getting telemetry on that would be great. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/721#issuecomment-469669421
Received on Tuesday, 5 March 2019 12:55:57 UTC