- From: Noam Rosenthal <notifications@github.com>
- Date: Tue, 26 Apr 2022 09:57:37 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1409/c1110034308@github.com>
> > But are you proposing to also allow that for things that are not styles/scripts? > > My preference would be to allow it for all fetches, but I understand @annevk is against it, and I don't feel strongly. (Especially since it's always easier to start conservative.) > > So the question is which fetches allow it. I can think of a few options: > > * Everything but `fetch()` > * Navigations + `<link>` + `<script>` > * Navigations + `<link rel=preload as=stylesheet>` + `<link rel=stylesheet>` > * ... various other permutations ... > > I'm not sure which option the various participants in this discussion want to go for. Or what is most useful. Or how that plays out in terms of spec layering. But maybe nailing that down is the next step? I guess you made an initial proposal at [#1409 (comment)](https://github.com/whatwg/fetch/pull/1409#issuecomment-1093776742) but I'm not sure if everyone got on board with that... apologies if they did and I'm just confusing matters. I can go with an option where if the destination of the request is `script` it can process any link header, and if it's `style` it can process any `as=font`/`as=img`/`as=style` link header, allowing all the link semantics. It's not more layer-violating than CSP as it only deals with request destinations. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1409#issuecomment-1110034308 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1409/c1110034308@github.com>
Received on Tuesday, 26 April 2022 16:57:49 UTC