- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 14 Sep 2021 01:29:49 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1229/review/753631121@github.com>
@annevk commented on this pull request. > @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with <a for="URL serializer"><i>exclude fragment</i></a> set to true. </ol> +<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a +<a for=/>request</a> <var>request</var>, run theses steps: + +<ol> + <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return Missing quotation mark. > @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with <a for="URL serializer"><i>exclude fragment</i></a> set to true. </ol> +<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a +<a for=/>request</a> <var>request</var>, run theses steps: + +<ol> + <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return + true.</p> + + <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p> + + <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings No newlines inside phrasing elements, including in tags. > @@ -3421,9 +3443,22 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or <li><p>If <var>policy</var> is neither `<code>same-origin</code>`, `<code>same-site</code>`, nor `<code>cross-origin</code>`, then set <var>policy</var> to null. - <li><p>If <var>policy</var> is null and <var>embedderPolicyValue</var> is - "<code><a for="embedder policy value">require-corp</a></code>", then set <var>policy</var> to - `<code>same-origin</code>`. + <li><p>If <var>policy</var> is null, switch on <var>embedderPolicyValue</var>: `<li>` contains multiple children so `<p>` needs to be on a new line. > @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with <a for="URL serializer"><i>exclude fragment</i></a> set to true. </ol> +<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a +<a for=/>request</a> <var>request</var>, run theses steps: + +<ol> + <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return + true.</p> + + <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p> + + <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings + object">embedder policy</a> is not + "<code><a for="embedder policy value">credentialless</a></code>", return true.</p> + + <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with + <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, return true.</p> This check seems sketchy. What about redirects? Should this use tainted origin flag instead? > @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with <a for="URL serializer"><i>exclude fragment</i></a> set to true. </ol> +<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a +<a for=/>request</a> <var>request</var>, run theses steps: + +<ol> + <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return then return* (throughout) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1229#pullrequestreview-753631121
Received on Tuesday, 14 September 2021 08:30:02 UTC