- From: Arthur Sonzogni <notifications@github.com>
- Date: Wed, 09 Jun 2021 02:30:30 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 9 June 2021 09:31:08 UTC
@ArthurSonzogni commented on this pull request. > @@ -1892,6 +1892,25 @@ source of security bugs. Please seek security review for features that deal with <a for="URL serializer"><i>exclude fragment</i></a> set to true. </ol> +<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a +<a for=/>request</a> <var>request</var>, run theses steps: + +<ol> + <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return + true.</p> + + <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p> + + <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings + object">embedder policy</a> is not + "<code><a for="embedder policy value">credentialless</a></code>", return true.</p> + + <li><p>If <var>request</var>'s <a for=request>origin</a> is not <a>same origin</a> with I missed inverting the condition in the early return. This was meant to be the opposite, to skip same-origin requests. Good catch! -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1229#discussion_r648132093
Received on Wednesday, 9 June 2021 09:31:08 UTC