- From: slaneyrw <notifications@github.com>
- Date: Wed, 11 Aug 2021 05:11:50 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 11 August 2021 12:12:02 UTC
> Sigh. It is a security hole, for the same reason we cannot expose HttpOnly cookies same-origin to script, as already explained. It's not a security hole for same origin requests. Cookies are a different issue, please don't conflate the two. As I mentioned in my previous answer, the industry has worked around the problem by changing the response HttpStatus to anything other than 30x, where we can read the header. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/601#issuecomment-896772970
Received on Wednesday, 11 August 2021 12:12:02 UTC