- From: Francois Marier <notifications@github.com>
- Date: Wed, 10 Nov 2021 14:50:43 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 10 November 2021 22:50:55 UTC
> If I understand the proposal correctly, this would have the effect of disabling meaningful access controls for resources that .onion pages wish to access. That's a good point. It seems indeed like an unfortunate side-effect of the current implementation in Tor Browser. My understanding of what Tor Browser is trying to protect here is an Onion service accidentally leaking its identity via linking to or embedding cross-origin resources. If we limited this new restriction to no-CORS requests, then the only case of accidental leakage I can think of would be Onion services using an anonymous CORS request in order to use subresource integrity with `https://code.jquery.com/jquery-1.11.1.js` for example. I think we could make a convincing case that the more typical CORS requests (e.g. those with credentials) are intentional and coordinated with the third-party (i.e. no _accidental_ leakage). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1350#issuecomment-965815980
Received on Wednesday, 10 November 2021 22:50:55 UTC