Re: [whatwg/fetch] Perform TAO check when reporting, using global's origin (PR #1422) from Noam Rosenthal on 2022-04-05 (public-webapps-github@w3.org from April 2022)

From: Noam Rosenthal <notifications@github.com>
Date: Tue, 05 Apr 2022 05:08:29 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1422/c1088624377@github.com>

> I left a comment in #1421 as well. Not entirely sure about this.

Because of the lack of origin serialization?

Serialization and the specific notes aside, any reason to be unsure, or an alternative way to go about this?
The main issue is the "basic" response tainting due to this being a navigation. This timing info is both TAO protected and not; It's TAO protected only when reporting to the iframe.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1422#issuecomment-1088624377
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1422/c1088624377@github.com>

Received on Tuesday, 5 April 2022 12:08:41 UTC