Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify treatment of CORS-enabled requests #50

Open
letitz opened this issue Mar 16, 2021 · 1 comment
Open

Clarify treatment of CORS-enabled requests #50

letitz opened this issue Mar 16, 2021 · 1 comment

Comments

@letitz
Copy link
Member

letitz commented Mar 16, 2021

Section 3.1. Upgradeable Content states:

We further limit this category in § 4.4 Should fetching request be blocked as mixed content? by force-failing any CORS-enabled request. This means, for example, that mixed content images loaded via <img crossorigin ...> will be blocked.

However section 4.4. Should fetching request be blocked as mixed content? does not seem to make such an exception.

At least one of the two sections seems like it needs revising. Which is it?
@annevk
Copy link
Member

annevk commented Mar 16, 2021

As long as we keep

The user agent has been instructed to allow mixed content, as described in § 7.2 User Controls).

I suspect the latter should be modified so that even when the user allows mixed content requests, it's still not allowed for CORS. I think Mozilla would be okay with dropping the UI overrides at this point though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@annevk @letitz