You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Subresource fetch requests in no-cors mode doesn't come with an Origin header, but the preflight requests we send for PNA include the "Origin" header. This is so that websites can use it to gate access only to websites they trust even though it leaks some information. We think the trade-off is worth it because in order to exploit this leak, you have to be on the private network of the user. We should probably still call this out in the spec.
The text was updated successfully, but these errors were encountered:
Subresource fetch requests in no-cors mode doesn't come with an
Originheader, but the preflight requests we send for PNA include the "Origin" header. This is so that websites can use it to gate access only to websites they trust even though it leaks some information. We think the trade-off is worth it because in order to exploit this leak, you have to be on the private network of the user. We should probably still call this out in the spec.The text was updated successfully, but these errors were encountered: