[Webkit-unassigned] [Bug 260284] Incorrect Sec-Fetch-Site values on sandboxed iframes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 31 10:31:35 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=260284
--- Comment #3 from Vincent Lee <vincentlee at meta.com> ---
Actually, on further reading of the spec, I'm Chrome and FF might be the ones with the bug here.
Sandboxing an iframe without `allow-same-origin` means the origin becomes opaque, and if I'm reading the language correctly for Sec-Fetch-Site, the algorithm for setting the header asserts that the request is from a "potentially trustworthy origin", which an opaque origin is not.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240531/77abf068/attachment.htm>
More information about the webkit-unassigned
mailing list