- From: Daniel Cheng <notifications@github.com>
- Date: Fri, 23 Apr 2021 18:26:26 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1221@github.com>
The steps for performing a TAO check are defined here: https://fetch.spec.whatwg.org/#tao-check 1. If request’s timing allow failed flag is set, then return failure. 2. If request’s response tainting is `"basic"`, then return success. 3. Let values be the result of getting, decoding, and splitting `Timing-Allow-Origin` from response’s header list. 4. If values contains `"*"`, then return success. 5. If values contains the result of serializing a request origin with request, then return success. 6. Return failure. If I interpret https://fetch.spec.whatwg.org/#ref-for-concept-request-response-tainting%E2%91%A4 correctly, response tainting is always `"basic"` for navigate requests. Does this imply the TAO check would always pass when reporting the resource for a child frame navigation to the parent frame, even if cross-origin? A separate question would be if the TAO check needs to separately account for the fact that the parent frame's origin may not be the same as the request's origin. Reading https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object and https://w3c.github.io/navigation-timing/#dfn-create-the-navigation-timing-entry, I don't see where the behavior of reporting navigation timing to the parent Document is defined. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1221
Received on Saturday, 24 April 2021 01:26:38 UTC