- From: Ben Kelly <notifications@github.com>
- Date: Wed, 06 Oct 2021 13:21:10 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 6 October 2021 20:21:22 UTC
Currently we expose a `Sec-Fetch-Site` header to servers, but hide this information from service workers. The `Sec-Fetch-Site` and `origin` headers are not populated until after the FetchEvent is handled by the service worker. This means the service worker can not reason about whether the incoming request is from a safe same-origin initiator or a potentially hostile cross-site initiator. To address this we propose to add a `Request.site` getter that returns `same-origin`, `same-site`, or `cross-site`. The value would be based on the request's internal origin and origin tainting flag. This was discussed at the recent SW virtual F2F: w3c/ServiceWorker#1604 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1322
Received on Wednesday, 6 October 2021 20:21:22 UTC