W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Request for input on Foreign Fetch

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 28 Jan 2016 15:15:38 +1100
Message-ID: <CABkgnnURG4n4h1c+Ays06492rGT6hZfhYu3-_k6DwxezGHRdpQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marijn Kruisselbrink <mek@google.com>
On 28 January 2016 at 06:08, Anne van Kesteren <annevk@annevk.nl> wrote:
> I meant the latter. We would not issue an OPTIONS fetch. CORS OPTIONS
> is a check to see if the server is CORS-aware. Here the service worker
> obviously is aware of cross-origin fetches.

Ack, thanks.  That leaves the question of ambient authority and I
think for that you already have your answer and you just aren't happy
with it :)

Namely, opting in to foreign fetch for a given path prefix (or scope)
is an implicit acceptance of the use of ambient authority for all
those intercepted requests.  Suppressing credentials and reducing
visibility would be the responsibility of the SW using explicit
controls, not the browser using implicit inference.

Ultimately, I think that's a nice outcome.

Can then we reduce this problem to one of developer education?
Received on Thursday, 28 January 2016 04:16:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC