- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 28 Jan 2016 15:15:38 +1100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marijn Kruisselbrink <mek@google.com>
On 28 January 2016 at 06:08, Anne van Kesteren <annevk@annevk.nl> wrote: > I meant the latter. We would not issue an OPTIONS fetch. CORS OPTIONS > is a check to see if the server is CORS-aware. Here the service worker > obviously is aware of cross-origin fetches. Ack, thanks. That leaves the question of ambient authority and I think for that you already have your answer and you just aren't happy with it :) Namely, opting in to foreign fetch for a given path prefix (or scope) is an implicit acceptance of the use of ambient authority for all those intercepted requests. Suppressing credentials and reducing visibility would be the responsibility of the SW using explicit controls, not the browser using implicit inference. Ultimately, I think that's a nice outcome. Can then we reduce this problem to one of developer education?
Received on Thursday, 28 January 2016 04:16:12 UTC