[Webkit-unassigned] [Bug 155761] Origin header is not included in CORS requests for cross-origin resources
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 6 12:15:03 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=155761
--- Comment #3 from Josh Dover <me at joshdover.com> ---
Anyone looking for a SAFE workaround should not be using `Access-Control-Allow-Origin: *`. What I used that worked:
- Find the CSSStyleSheet in the `tainted` state (`styleSheet.cssRules` will be null).
- Make an XHR for the stylesheet's `href`
- Add a new <style> node to the document's head with the contents of the XHR.
- Optionally, remove the original style tag
This method will be safe since you are still relying on the browser's CORS protections when you make the XHR.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160606/ab20b9da/attachment.html>
More information about the webkit-unassigned
mailing list