- From: Dominic Farolino <notifications@github.com>
- Date: Sat, 09 Nov 2019 08:28:40 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 9 November 2019 16:28:42 UTC
domfarolino commented on this pull request.
> @@ -3375,8 +3374,8 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps:
<dl class=switch>
<dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> is
- <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, <var>request</var>'s
- <a for=request>tainted origin flag</a> is unset, and the <i>CORS flag</i> is unset
+ <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, and <var>request</var>'s
+ <a for=request>response tainting</a> is "<code>basic</code>"
It's likely I'm missing something, but I don't exactly see how this condition changes, could you please explain:
> This also fixes an issue whereby we checked origin tainting rather than response tainting in main fetch which results in a minor bug when it comes to opaquing A -> B -> A chains.
From what I can tell, assuming the current URL's origin is same-origin with request's origin, then:
- Whenever _tainted origin flag_ is unset, _response tainting_ is always "basic" here, and
- Whenever _tainted origin flag_ is set, _response tainting_ is not "basic"
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/960#pullrequestreview-314566106
Received on Saturday, 9 November 2019 16:28:42 UTC