- From: Yoav Weiss <notifications@github.com>
- Date: Wed, 06 Nov 2019 17:47:10 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 7 November 2019 01:47:13 UTC
> CORS doesn't have anything to do with same-origin redirects. The reason we don't expose them is because they can contain secrets: https://fetch.spec.whatwg.org/#atomic-http-redirect-handling. The nature of the attack is not 100% clear to me in a same-origin context without any cross-origin redirects. Is the concern that it'd enable an origin to guess its own http-only cookies? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/955#issuecomment-550582198
Received on Thursday, 7 November 2019 01:47:13 UTC