Re: Request for input on Foreign Fetch from Martin Thomson on 2016-01-27 (public-webappsec@w3.org from January 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 28 Jan 2016 04:52:24 +1100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marijn Kruisselbrink <mek@google.com>
Message-ID: <CABkgnnXoNB3p+X0Jc6VJXCk6PTc7XeggWKZoSp13kiKHfCjEJQ@mail.gmail.com>

On 28 January 2016 at 01:25, Anne van Kesteren <annevk@annevk.nl> wrote:
>> When I hear "CORS", I think "Will the foreignorigin's service worker be able
>> to respond to OPTIONS requests?" because that sounds dangerous. I assume
>> preflights will continue to skip both service workers?
>
> Yes. Opting into foreign fetch is the equivalent of OPTIONS.

It's the middle of the night, but this doesn't parse.  If foreign
fetch is the equivalent of OPTIONS, then isn't it reasonable to permit
intercept of OPTIONS requests?  Or omit the OPTIONS requests entirely
in this case?

That assumes a lot about the rest of this discussion, of course.

Received on Wednesday, 27 January 2016 17:52:52 UTC