- From: Sergiy Kukunin <notifications@github.com>
- Date: Fri, 10 Sep 2021 06:32:52 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 10 September 2021 13:33:05 UTC
@iamnoah I would argue that URLs are as safe as cookies over https. Yes, middlemen are off, but there is still might be sniffers on the client end, for example, https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/. I remember a story (couldn't find proof though) that an extension from a search engine caused unlisted public URLs indexed in the search engine - this way a lot of private documents were leaked. I agree, that it's ok with short-living tokens, but I would still be careful to pass something sensitive over GET params in URLs -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/763#issuecomment-916907600
Received on Friday, 10 September 2021 13:33:05 UTC