- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 30 Jul 2015 10:24:32 +0200
- To: Mike West <mkwst@google.com>
- Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>, Kristijan Burnik <burnik@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Alex Russell <slightlyoff@google.com>, Ryan Sleevi <sleevi@google.com>
On Thu, Jul 30, 2015 at 9:59 AM, Mike West <mkwst@google.com> wrote:
> Anne: I'm not sure what you meant by "I suppose it won't always disallow
> that". When would we want to allow insecure responses to secure requests? I
> don't think that's something we've discussed, nor is it something I think is
> terribly appealing.
If you have
<img src=https://example.com/x>
and the service worker replies with
e.respondWith(fetch("http://unsafe.example/x", {mode:"no-cors"}))
there's nothing really that prevents that. There's also nothing that
prevents the service worker from writing out that document as
<img src=http://unsafe.example/x>
in the first place so I don't think it matters much.
--
https://annevankesteren.nl/
Received on Thursday, 30 July 2015 08:24:58 UTC