Re: CfC: Republish MIX as CR; deadline July 29th. from Brian Smith on 2015-07-28 (public-webappsec@w3.org from July 2015)

From: Brian Smith <brian@briansmith.org>
Date: Tue, 28 Jul 2015 13:29:25 -0400
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>
Message-ID: <CAFewVt5pNE4yC9F0tYWTnKg-NnFGXpG-=h=Y=WjbJjo3MGWf+Q@mail.gmail.com>

On Tue, Jul 28, 2015 at 1:16 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jul 28, 2015 at 7:05 PM, Brian Smith <brian@briansmith.org> wrote:
> > If I understand correctly, then the |window| property of a request will
> only
> > be set if the request is created as part of an internal fetch for loading
> > subresources like <img src>.
>
> That is not true. You did not give much information as to how you
> arrived at this conclusion so it's unclear what I can do to clarify.
>

Me misunderstanding it is exactly my point: it is very unclear what
behavior is actually being specified, and it should be changed to be more
clear.

In particular, my understanding of what was agreed is that a service worker
should be allowed to forward (unmodified) http:// requests for <img src>,
<video src>, and <audio src>, but otherwise any other http:// fetch in an
HTTPS document should be disallowed. But it is unclear that that is what
the document says.

Cheers,
Brian

Received on Tuesday, 28 July 2015 17:29:54 UTC