- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 09 Jun 2020 02:00:43 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1030/review/426928535@github.com>
@annevk commented on this pull request. Yeah this looks good to me. Might put some time into figuring out if we can refactor this further, but I think what's important is that now the correct things are compared in the various security checks. > + </ul> + + <p>then return <b>allowed</b>. + + <p>Otherwise, return <b>blocked</b>. + + <p class=note>`<code>Cross-Origin-Resource-Policy: same-site</code>` does not consider a + response delivered via a secure transport to match a non-secure requesting origin, + even if their hosts are otherwise same site. Securely-transported responses will only + match a securely-transported initiator. + </dl> +</ol> + +<p>To <dfn>queue a cross-origin embedder policy CORP violation report</dfn>, given a +<a for=/>response</a> <var>response</var>, an <a for=/>environment settings object</a> +<var>settingsObject</var>, and a <i>report only flag</i>, run these steps: ```suggestion <var>settingsObject</var>, and a boolean <var>reportOnly</var>, run these steps: ``` > </ol> +<p>To perform a <dfn export>cross-origin resource policy check</dfn>, given an <a for=url>origin</a> +origin, an <a for=/>environment settings object</a> <var>settingsObject</var>, a +<a for=/>response</a> <var>response</var>, and an optional <i>navigation flag</i>, run these steps: ```suggestion <a for=/>response</a> <var>response</var>, and an optional boolean <var>forNavigation</var>, run these steps: ``` > </ol> +<p>To perform a <dfn export>cross-origin resource policy check</dfn>, given an <a for=url>origin</a> +origin, an <a for=/>environment settings object</a> <var>settingsObject</var>, a +<a for=/>response</a> <var>response</var>, and an optional <i>navigation flag</i>, run these steps: + +<p class="note no-backref">Only HTML's navigate algorithm uses this check with the +<i>navigation flag</i> set, and it's always for nested navigations. Otherwise, <var>response</var> +is either the <a for=internal>internal response</a> of an <a>opaque filtered response</a> or +a <a for=/>response</a> which will be the <a for=internal>internal response</a> of an +<a>opaque filtered response</a>. [[HTML]] Can we move this note to be after the algorithm? It reads a little weird being before the list of steps. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1030#pullrequestreview-426928535
Received on Tuesday, 9 June 2020 09:00:55 UTC