- From: Sampson Crowley <notifications@github.com>
- Date: Thu, 09 Feb 2023 07:16:35 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 9 February 2023 15:16:47 UTC
> > Sigh. It is a security hole, for the same reason we cannot expose HttpOnly cookies same-origin to script, as already explained. > > It's not a security hole for same origin requests. Cookies are a different issue, please don't conflate the two. > > As I mentioned in my previous answer, the industry has worked around the problem by changing the response HttpStatus to anything other than 30x, where we can read the header. @slaneyrw Just because you don't understand it doesn't make it not a potential threat. It _does_ need to be opt-in, as there are a _lot_ of redirects in the world of the web that contain sensitive tokens. *your* JS is not the *only* js just because it's same origin. That however, _doesn't_ mean it needs to be a required security feature that *can't* be opted out of and users have zero control over. and *that*, the complete lack of option is where the standard has completely dropped the ball -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/601#issuecomment-1424352791 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/601/1424352791@github.com>
Received on Thursday, 9 February 2023 15:16:47 UTC