- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 27 Apr 2022 03:32:36 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 27 April 2022 10:32:48 UTC
@annevk commented on this pull request. > + <p>If <var>request</var>'s <a for=request>mode</a> is "<code>navigate</code>", and + <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> is not + <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then + return failure. So this succeeds when A1 embeds A2. It does not succeed when A1 embeds B. It also succeeds when A1 embeds A2 and A2 redirects to B which redirects to A3. That case seems concerning. This should probably also use "redirect-tainted origin"? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1422#pullrequestreview-954677028 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1422/review/954677028@github.com>
Received on Wednesday, 27 April 2022 10:32:48 UTC