W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Request for input on Foreign Fetch

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 28 Jan 2016 04:52:24 +1100
Message-ID: <CABkgnnXoNB3p+X0Jc6VJXCk6PTc7XeggWKZoSp13kiKHfCjEJQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marijn Kruisselbrink <mek@google.com>
On 28 January 2016 at 01:25, Anne van Kesteren <annevk@annevk.nl> wrote:
>> When I hear "CORS", I think "Will the foreignorigin's service worker be able
>> to respond to OPTIONS requests?" because that sounds dangerous. I assume
>> preflights will continue to skip both service workers?
>
> Yes. Opting into foreign fetch is the equivalent of OPTIONS.

It's the middle of the night, but this doesn't parse.  If foreign
fetch is the equivalent of OPTIONS, then isn't it reasonable to permit
intercept of OPTIONS requests?  Or omit the OPTIONS requests entirely
in this case?

That assumes a lot about the rest of this discussion, of course.
Received on Wednesday, 27 January 2016 17:52:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC