- From: Ben Kelly <notifications@github.com>
- Date: Wed, 08 May 2019 07:26:24 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 8 May 2019 14:26:46 UTC
Riffing on Yutaka's query parameters issue, if a response has a VARY header an attacker could request the url with a different set of matching request headers. I believe most http caches only store one entry per URL, so this would evict the target url as well. Kind of a corner case since it requires the response to use VARY, though. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/902#issuecomment-490507390
Received on Wednesday, 8 May 2019 14:26:46 UTC