- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 21 Oct 2021 09:42:01 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 21 October 2021 16:42:13 UTC
@annevk commented on this pull request.
> @@ -3873,11 +3884,16 @@ steps:
<li>Matching <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a> per
<a href=https://datatracker.ietf.org/doc/html/rfc6797#section-8.2>Known HSTS Host Domain Name Matching</a>
results in either a superdomain match with an asserted <code>includeSubDomains</code> directive
- or a congruent match (with or without an asserted <code>includeSubDomains</code> directive).
- [[!HSTS]]
+ or a congruent match (with or without an asserted <code>includeSubDomains</code> directive) or
+ DNS resolution for the request finds a matching HTTPS RR per
+ <a href=https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https#section-8.5>HTTP Strict Transport Security</a>.
+ [[!HSTS]][[!SVCB]]
Well, but if we did that for HSTS as well it would be wrong, right? So whether the internal redirect is supposed to be visible "depends" and that's where the complexity comes in.
Are there tests to ensure images end up being tainted and such?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1325#discussion_r733860086
Received on Thursday, 21 October 2021 16:42:13 UTC