- From: Malte Jürgens <notifications@github.com>
- Date: Wed, 29 Nov 2023 05:20:30 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 29 November 2023 13:20:35 UTC
@maltejur commented on this pull request. > + <li> + <p>Optionally, run <a>upgrade an HTTP request</a> algorithm on <var>request</var>. + + <p class=note>HTTPS upgrading only applies to requests with <a>HTTP(S) scheme</a>s, but it's done + in <a>main fetch</a> instead of <a>HTTP fetch</a> to ensure that + <a>upgrade a mixed content <var>request</var> to a potentially trustworthy URL, if appropriate</a> + step runs next and applies to the upgraded request. + Sorry for the late comment, but I only noticed this just now. In main fetch, the upgrade algorithm is being run before the referrer is being determined, while a potential HSTS upgrade is happening after the referrer gets determined. If I understand this correctly, that means if we have a referrer policy like `no-referrer-when-downgrade` and from a https site click a http link that can be upgraded to https, the new site will get the referrer if the upgrade is happening through HTTPS Upgrades, but not if the upgrade is happening through HSTS. Is that correct and of any significance? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1655#pullrequestreview-1755250683 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1655/review/1755250683@github.com>
Received on Wednesday, 29 November 2023 13:20:35 UTC