Skip to content
Permalink
Browse files

Take tainted origin flag into account for the same origin check

This also addresses #737 in that now A -> B -> A would be considered cross-origin even for "no-cors", but leaving that open to discuss whether HTML et al need to override that in select cases (e.g., <img>).

Fixes #756.
  • Loading branch information...
annevk committed Nov 20, 2018
1 parent ba2fb9c commit 986618a62b2d7d31f93177ed178f0cb21b570d85
Showing with 2 additions and 2 deletions.
  1. +2 −2 fetch.bs
@@ -2997,8 +2997,8 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps:

<dl class=switch>
<dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> is
<a>same origin</a> with <var>request</var>'s <a for=request>origin</a> and <i>CORS flag</i> is
unset
<a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, <var>request</var>'s
<a for=request>tainted origin flag</a> is unset, and the <i>CORS flag</i> is unset
<dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is
"<code>data</code>"
<dt><var>request</var>'s <a for=request>mode</a> is

0 comments on commit 986618a

Please sign in to comment.
You can’t perform that action at this time.