Re: [whatwg/fetch] Block subresource requests whose URLs include credentials. (#465) from Domenic Denicola on 2022-09-30 (public-webapps-github@w3.org from September 2022)

From: Domenic Denicola <notifications@github.com>
Date: Thu, 29 Sep 2022 21:57:49 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/465/c1263103213@github.com>

I found this code in Chromium https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/loader/fetch/fetch_parameters.cc;l=94;drc=a432cd59d51281057ba2a2673ca645a9600bb927 which seems to *strip* usernames and passwords from some requests... looking at the call sites, it appears the list of requests is somewhat random, including mostly CORS subresources, but also prefetches and preloads?

We are trying to determine whether to emulate this pattern for new CORS subresource requests... if this is in specs somewhere and I missed it, please let me know.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/465#issuecomment-1263103213
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/465/c1263103213@github.com>

Received on Friday, 30 September 2022 04:58:02 UTC