- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 27 Jan 2015 14:57:13 +0100
- To: Mike West <mkwst@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>, Jake Archibald <jaffathecake@gmail.com>, Alex Russell <slightlyoff@google.com>, Jungkee Song <jungkees@gmail.com>
On Tue, Jan 27, 2015 at 2:38 PM, Mike West <mkwst@google.com> wrote: > 2. I think our vague plan was to check outgoing requests as well as incoming > responses, similar to what we've ended up with for MIX. That is, we would > attempt to prevent the SW from giving us something for a particular request > that wouldn't have been allowed as an outgoing request. Agreed, that is part of the reason why Response objects keep track of the network url (or lack thereof for synthetic responses). > I don't really understand the issue with `event.default()`. Why does that > passthrough mechanism not work? I think the biggest problem is that the Response objects end up being exposed to SW (and script) and therefore breaks expected CSP invariants about request contexts. I think the biggest drawback is that Referer ends up being the SW all the time. The preserving the "final url" feature from default() we are turning into a primitive as discussed in that issue thread. I think we might want to do the same with Referer. (Effectively allowing it to be set to any same-origin URL.) -- https://annevankesteren.nl/
Received on Tuesday, 27 January 2015 13:57:36 UTC