You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@yutakahirano noticed one more place that relied request's origin becoming an opaque origin: step 5 of main fetch.
I incorrectly assumed this wouldn't be a problem due to the CORS flag, but the CORS flag is not set if the initial request was same-origin.
I think making the first conditional of step 5 instead read
request's current url's origin is same origin with request's origin, CORS flag is unset, and either request's tainted origin flag is unset or request's mode is not "cors"
This also addresses #737 in that now A -> B -> A would be considered cross-origin even for "no-cors", but leaving that open for further plumbing in HTML et al to override that in select cases (e.g., <img>).
Fixes#756.
This also addresses #737 in that now A -> B -> A would be considered cross-origin even for "no-cors", but leaving that open to discuss whether HTML et al need to override that in select cases (e.g., <img>).
Fixes#756.
Note for future me: the fix in OP wasn't quite correct as a "no-cors" response shouldn't be considered same origin if there is a cross-origin redirect involved.
@yutakahirano noticed one more place that relied request's origin becoming an opaque origin: step 5 of main fetch.
I incorrectly assumed this wouldn't be a problem due to the CORS flag, but the CORS flag is not set if the initial request was same-origin.
I think making the first conditional of step 5 instead read
would fix this.
This is somewhat related to #737.
The text was updated successfully, but these errors were encountered: