Re: [whatwg/fetch] Specify exception to redirect-tainting: Upgrade-Insecure-Requests (UIR) and HSTS scheme upgrades (Issue #1551) from Anne van Kesteren on 2022-11-28 (public-webapps-github@w3.org from November 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 28 Nov 2022 03:26:29 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1551/1328919999@github.com>

@Rob--W are you sure? We do report (though not enforce) CSP violations before, but step 5 of main fetch currently does UIR-related upgrades of the input and that's way ahead of any tainting that might occur.

HSTS happens after mixed content blocking, but I think that's still correct, although Mixed Content Level 2 might have changed a few things there?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1551#issuecomment-1328919999
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1551/1328919999@github.com>

Received on Monday, 28 November 2022 11:26:41 UTC