- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 23 Nov 2021 01:21:34 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1351/review/813392543@github.com>
@annevk commented on this pull request. > @@ -2820,6 +2823,11 @@ given a <a for=/>request</a> <var>request</var>, run these steps: <li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a> with <var>request</var>. + <li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>'s + <a for=origin>host</a> ends with "<code>.onion</code>" or "<code>.onion.</code>", and + is not <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then set + <var>serializedOrigin</var> to `<code>null</code>`. [[ONION]] So the user navigates to the starting origin? I guess then the scenarios would work. (Typically with fetching there's a starting document with some kind of authority and that would do the fetching, which could then result in a redirect. The initial 307 threw me off.) Assuming the user does the navigation I'd expect: 1. example.onion 307 to example.onion (Origin could be included here, e.g., in case of a POST); example.onion 307 to example.com (it would be null here) 2. example.onion 307 to example.com (it would be null here); example.com to example.onion (it would continue to be null here, as it's been tainted by example.com) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1351#discussion_r754927037
Received on Tuesday, 23 November 2021 09:21:46 UTC