You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We based what fetch() with no-cors can do upon CORS, but while that makes sense for requests, it doesn't make a whole lot of sense for responses now that opaque response has lost some of its meaning due to Spectre.
This was previously discussed in w3c/ServiceWorker#1509. It seems easy to have an early block if request's method was not GET.
I don't know if we want to do anything about request headers, though it does seem kind of suspicious if a GET comes with a Content-Type header it also doesn't seem like the kind of thing a server would trip over (famous last words?).
We based what
fetch()with no-cors can do upon CORS, but while that makes sense for requests, it doesn't make a whole lot of sense for responses now that opaque response has lost some of its meaning due to Spectre.This was previously discussed in w3c/ServiceWorker#1509. It seems easy to have an early block if request's method was not
GET.I don't know if we want to do anything about request headers, though it does seem kind of suspicious if a
GETcomes with aContent-Typeheader it also doesn't seem like the kind of thing a server would trip over (famous last words?).cc @jakearchibald
Related bugs (some hidden, but it was long ago decided to disclose this):
The text was updated successfully, but these errors were encountered: