- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 15 Feb 2017 19:00:16 +0100
- To: Mike West <mike@mikewest.org>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 15, 2017 at 5:56 PM, Mike West <mike@mikewest.org> wrote: > I agree with your analysis about this course of action. Given that it seems > like a bad idea, what would you suggest that we do? 1. I think we should add evaluating any new fetches to https://w3ctag.github.io/security-questionnaire/. Ideally we forbid new "no-cors" fetches (I thought that was Chrome's policy per the <script type=module> thread, but I guess the security team is not super consistent). 2. We should document the exceptions in Fetch so that servers know what to expect. -- https://annevankesteren.nl/
Received on Wednesday, 15 February 2017 18:00:47 UTC