Closed
Bug 1184855
Opened 9 years ago
Closed 9 years ago
Fetch interception for XMLDocument.load() does not respect cross origin restrictions
Categories
(Core :: DOM: Service Workers, defect)
Core
DOM: Service Workers
Tracking
()
RESOLVED
INVALID
People
(Reporter: albert, Unassigned)
References
Details
(Keywords: csectype-sop, sec-high)
Intercepted requests from XMLDocument.load() in fetch allow to return a response from cross origin requests.
Comment 1•9 years ago
|
||
(not knowing too much about service workers, but I thought this was by design.)
Comment 2•9 years ago
|
||
Albert, what kind of cross-origin request are you talking about? "cors" or "no-cors"? If the latter you indeed found a SOP violation, but I doubt it.
Reporter | ||
Comment 3•9 years ago
|
||
(In reply to Anne (:annevk) from comment #2) > Albert, what kind of cross-origin request are you talking about? "cors" or > "no-cors"? If the latter you indeed found a SOP violation, but I doubt it. 'cors' is working fine, the problem is 'no-cors'. See test at 1182120
Updated•9 years ago
|
Keywords: csectype-sop,
sec-high
Updated•9 years ago
|
Blocks: ServiceWorkers-v1
Reporter | ||
Comment 4•9 years ago
|
||
The main problem is that intercepted XMLDocument.load() request has mode set to 'no-cors' instead of 'same-origin', what is being fixed in Bug 1189945.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•