Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consider exposing a Request.site getter #1322

Open
wanderview opened this issue Oct 6, 2021 · 1 comment
Open

consider exposing a Request.site getter #1322

wanderview opened this issue Oct 6, 2021 · 1 comment
Labels
addition/proposal New features or enhancements topic: api topic: service workers

Comments

@wanderview
Copy link
Member

Currently we expose a Sec-Fetch-Site header to servers, but hide this information from service workers. The Sec-Fetch-Site and origin headers are not populated until after the FetchEvent is handled by the service worker. This means the service worker can not reason about whether the incoming request is from a safe same-origin initiator or a potentially hostile cross-site initiator.

To address this we propose to add a Request.site getter that returns same-origin, same-site, or cross-site. The value would be based on the request's internal origin and origin tainting flag.

This was discussed at the recent SW virtual F2F: w3c/ServiceWorker#1604
@annevk annevk added addition/proposal New features or enhancements topic: api labels Oct 7, 2021
@annevk
Copy link
Member

annevk commented Oct 7, 2021

Asserts:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
addition/proposal New features or enhancements topic: api topic: service workers
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wanderview @annevk