Re: [whatwg/fetch] Perform a CSP check when consuming preloaded response (PR #1411) from Anne van Kesteren on 2022-03-11 (public-webapps-github@w3.org from March 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Fri, 11 Mar 2022 04:07:18 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1411/c1065053601@github.com>

* It seems that "Run report Content Security Policy violations for request" wouldn't happen.
* Mike's scenario of scheme upgrades seems problematic. Yes, perhaps there's an HTTP cache entry, but is that guaranteed? And either way, wouldn't it result in a service worker being asked whereas if the scheme upgrade happened before that wouldn't be the case? (Scheme upgrades is also what Mixed Content Level 2 does.)

I haven't done a complete check, but this seems concerning and also suggests a potential mismatch with implementations that might cause further issues in the future.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1411#issuecomment-1065053601
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1411/c1065053601@github.com>

Received on Friday, 11 March 2022 12:07:32 UTC