- From: noah <notifications@github.com>
- Date: Thu, 12 Aug 2021 13:10:22 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 12 August 2021 20:10:34 UTC
Just wanted to chime in as a user who appreciates atomic redirects. My use case is redirecting an authenticated CORS request. CORS will not forward the Auth header a second time, so we have to add a token to the redirect Location. If the Location could be accessed via JavaScript, that could open us up to credential stealing XSS (maybe not directly in this case since CORS, but defense-in-depth is important.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/763#issuecomment-897934821
Received on Thursday, 12 August 2021 20:10:34 UTC