- From: Noam Rosenthal <notifications@github.com>
- Date: Fri, 29 Apr 2022 00:44:50 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 29 April 2022 07:45:02 UTC
> > I can go with an option where if the destination of the request is `script` it can process any link header, and if it's `style` it can process any `as=font`/`as=img`/`as=style` link header, allowing all the link semantics. It's not more layer-violating than CSP as it only deals with request destinations. > > OK, so concretely, Fetch would contain this logic, which dispatches to HTML's "process link headers for subresources" which just assumes that if it's called it's allowed to do full `Link` processing. (Maybe it doesn't even need to be subresource-specific.) `process link headers for subresources` would need a list of allowed destinations, but otherwise that's the idea. Perhaps this can still be totally inside HTML, make this check on style/script/preload-as-script/style response (with a suitable `as`). It does create some exception to the rule that preload is network only, but maybe that's OK. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1409#issuecomment-1112969016 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1409/c1112969016@github.com>
Received on Friday, 29 April 2022 07:45:02 UTC