fetch
fetch copied to clipboard
whatwg
CORB: 3xx redirects, 304, 401, and 407 responses
Should we apply the CORB check to these responses as well?
Currently we only do it for the final response, but if that's not good enough for From-Origin, is it good enough for CORB in general? A test for this would be somewhat involved, but you could imagine:
HTTP/1.1 302 HEY
Location: elsewhere
Content-Type: text/html
X-Content-Type-Options: nosniff
I would not be sad if we blocked redirect responses based on their MIME types. That said, I think we'd need to gather some data to determine how web-compatible it would be to tighten things here. I can imagine that servers accidentally rely on this kind of thing being ignored in the presence of Location headers.
If we're following redirects within fetch, that seems fine from a CORB point of view, since the body isn't going back to the content process.
Whether we do this or not, we should add a test to ensure implementations are consistent.
I think I agree that we shouldn't inspect redirects. But in light of #1132 401 and 407 might be important as with the changes discussed there they could reach attacker-controlled processes.