- From: JannisBush <notifications@github.com>
- Date: Wed, 20 Sep 2023 00:56:08 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 20 September 2023 07:56:13 UTC
> Only [request](https://fetch.spec.whatwg.org/#concept-request) [destinations](https://fetch.spec.whatwg.org/#concept-request-destination) that are [script-like](https://fetch.spec.whatwg.org/#request-destination-script-like) or "style" are considered as any exploits pertain to them. Also, considering "image" was not compatible with deployed content. (https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?) To me the spec reads as XCTO only is used for script-like and style destinations, however this is not the case. - [CORB](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#determining-whether-a-response-is-corb_protected) and [ORB](https://github.com/annevk/orb) use XCTO for images and media - Browsers seem to be using XCTO for iframes and windows as well. Responses with XCTO are either displayed as text/plain or treated as downloads -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1701 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1701@github.com>
Received on Wednesday, 20 September 2023 07:56:13 UTC