- From: Yutaka Hirano <notifications@github.com>
- Date: Mon, 14 Jun 2021 22:05:46 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1229/review/683556881@github.com>
@yutakahirano commented on this pull request.
> @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with
<a for="URL serializer"><i>exclude fragment</i></a> set to true.
</ol>
+<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a <a
+for=/>request</a> <var>request</var>, run theses steps:
+
+<ol>
+ <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return
+ true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings
+ object">embedder policy</a> is not "<code><a for="embedder policy
https://github.com/whatwg/fetch#formatting
Please "do not use newlines inside "inline" elements, even if that means exceeding the column width requirement".
> @@ -1978,6 +1996,10 @@ initially unset.
being provided to an API that didn't make a range request. See the flag's usage for a detailed
description of the attack.
+<p>A <a for=/>response</a> has an associated <dfn for=response
+id=concept-response-request-include-credentials>request-include-credentials</dfn>, which is
+initially set.
How about "A response has an associated request-include-credentials (a boolean), initially true."?
> @@ -4585,6 +4620,9 @@ steps. They return a <a for=/>response</a>.
<p>is true; otherwise false.
+ <li><p>If <a>Cross-Origin-Embedder-Policy allows credentials</a> with <var>request</var> is
maybe "returns" is better than "is" here.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1229#pullrequestreview-683556881
Received on Tuesday, 15 June 2021 05:06:10 UTC