- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 14 Nov 2019 01:01:59 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 14 November 2019 09:02:05 UTC
That attack is possible regardless of whether the initial fetch is `no-cors` or `navigate`. You can also navigate the `object` element from a same-origin document to the target SVG, same problem. Or is your argument (now, I think it was not before) that navigations of `object` elements should also be `no-cors`? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/948#issuecomment-553791702
Received on Thursday, 14 November 2019 09:02:05 UTC