- From: npm1 <notifications@github.com>
- Date: Fri, 08 Nov 2019 06:55:27 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/955/review/314251635@github.com>
npm1 commented on this pull request. > +<var>response</var>, run these steps: + +<ol> + <li><p>If <var>request</var>'s <a for=request>timing allow failed flag</a> is set, then return + failure. + + <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>basic</code>", then return success. + + <li><p>Let <var>values</var> be the result of + <a for="header list">getting, decoding, and splitting</a> + `<code>Timing-Allow-Origin</code></a>` from <var>response</var>'s <a for=response>header list</a>. + + <li><p>If <var>values</var> contains `<code>*</code>`, then return success. + + <li><p>Let <var>serializedOrigin</var> be the result of <a>serializing a request origin</a> with + <var>request</var>. > Is there a test for this scenario and browser bugs given that it sounded liked this was not yet how browsers behaved? I'll modify https://github.com/web-platform-tests/wpt/blob/master/resource-timing/crossorigin-sandwich-TAO.sub.html because it should no longer pass the TAO check with this change. And will also add a crossorigin sandwich which uses '*' in the header to ensure that it still passes. I imagine browser bugs should be filed once the spec change has landed? > How are we going to integrate this with the resource timing specification? We'll replace the timing allow check algorithm with a query into the response's flag. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/955#discussion_r344211584
Received on Friday, 8 November 2019 14:55:30 UTC