Re: [whatwg/fetch] Specify exception to redirect-tainting: Upgrade-Insecure-Requests (UIR) and HSTS scheme upgrades (Issue #1551) from Anne van Kesteren on 2022-11-28 (public-webapps-github@w3.org from November 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 28 Nov 2022 05:25:54 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1551/1329088197@github.com>

Thanks, that's bad.

I guess what needs to happen is that a bunch of the policy decisions are moved from HTTP-redirect fetch to main fetch. This would actually work I think for all origin-related checks.

What cannot move is manipulation due to the redirect status. That doesn't involve origin so it should work, but also doesn't seem great.

---

Then separately there's the desire to do some of this as internal redirects (#1426) mainly because we might have to hit the network before we know whether we can do an upgrade. How exactly that should interleave with all the policies is a bit unclear to me at this point though.

cc @davidben 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1551#issuecomment-1329088197
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1551/1329088197@github.com>

Received on Monday, 28 November 2022 13:26:06 UTC