- From: Arthur Sonzogni <notifications@github.com>
- Date: Thu, 17 Jun 2021 00:28:33 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1229/review/685271409@github.com>
@ArthurSonzogni commented on this pull request.
Thanks Yutaka,
I addressed your 3 comments in the latest commit.
> @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with
<a for="URL serializer"><i>exclude fragment</i></a> set to true.
</ol>
+<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a <a
+for=/>request</a> <var>request</var>, run theses steps:
+
+<ol>
+ <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return
+ true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings
+ object">embedder policy</a> is not "<code><a for="embedder policy
Done.
> @@ -1978,6 +1996,10 @@ initially unset.
being provided to an API that didn't make a range request. See the flag's usage for a detailed
description of the attack.
+<p>A <a for=/>response</a> has an associated <dfn for=response
+id=concept-response-request-include-credentials>request-include-credentials</dfn>, which is
+initially set.
Done.
> @@ -4585,6 +4620,9 @@ steps. They return a <a for=/>response</a>.
<p>is true; otherwise false.
+ <li><p>If <a>Cross-Origin-Embedder-Policy allows credentials</a> with <var>request</var> is
Done.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1229#pullrequestreview-685271409
Received on Thursday, 17 June 2021 07:28:58 UTC