- From: Patrick Meenan <notifications@github.com>
- Date: Tue, 18 Nov 2025 07:12:09 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 18 November 2025 15:12:13 UTC
pmeenan left a comment (whatwg/fetch#1839) I don't think the redirect tracking is necessary (unless I'm missing an attack vector). Compression dictionaries don't put the request into a COEP context if it isn't already in one. If it IS in a COEP context already then the request itself will be blocked as it follows the redirect chain, just as it normally would. I'm proposing that the suitability of decoding a body using compression dictionaries mirrors the suitability of a response needing CORP protections so we can just leverage the existing response header specifically when decoding the body (the regular protections are still in place). There is no situation where a response would be suitable for CORP cross-origin and not suitable for dictionary decoding and no situation where dictionary decoding would be suitable but the response wouldn't be suitable for CORP cross-origin (since they are both explicitly to protect against side-channel readability attacks of the payload) but using it for dictionary compression doesn't need to force-enable COEP. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1839#issuecomment-3548079776 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1839/3548079776@github.com>
Received on Tuesday, 18 November 2025 15:12:13 UTC