Skip to content

Commit 79f3d0f

Browse files
druberyDaniel Rubery
and
Daniel Rubery
authored
Update redirect handling for DBSC requests (#168)
The current description doesn't really align with the Fetch redirect handling. While it's nice to ensure that sites don't expose themselves to significant risk, we already require that the refresh URL be HTTPS, so sites need to do significant work to take on this risk. Simpler Fetch integration is valued over protecting sites from themselves. Co-authored-by: Daniel Rubery <[email protected]>
1 parent 8258482 commit 79f3d0f

File tree

1 file changed

+3
-7
lines changed

1 file changed

+3
-7
lines changed

spec.bs

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -496,10 +496,10 @@ The <dfn>session credential</dfn> is a [=struct=] with the following
496496
1. Let |signed challenge| be null. If |challenge| is non-null, sign it
497497
with |key pair| and store the result in |signed challenge|.
498498
1. Create a |request| for use in <a
499-
href="https://fetch.spec.whatwg.org/#http-network-or-cache-fetch">HTTP-network-or-cache
500-
fetch</a>.
499+
href="https://fetch.spec.whatwg.org/#http-fetch">HTTP fetch</a>.
501500
1. Set |request|'s [=request/method=] to "POST".
502501
1. Set |request|'s [=request/URL=] to |destination|.
502+
1. Set |request|'s [=request/redirect mode=] to "follow".
503503
1. If |signed challenge| is non-null, [=header list/append=] the header
504504
("Secure-Session-Response", |signed challenge|) to |request|'s
505505
[=request/header list=].
@@ -508,13 +508,9 @@ The <dfn>session credential</dfn> is a [=struct=] with the following
508508
1. Set |request|'s [=request/initiator=] to |originating request|'s
509509
[=request/initiator=].
510510
1. Let |response| be the result of running <a
511-
href="https://fetch.spec.whatwg.org/#http-network-or-cache-fetch">HTTP-network-or-cache
512-
fetch</a> for |request|.
511+
href="https://fetch.spec.whatwg.org/#http-fetch">HTTP fetch</a> for |request|.
513512
1. If |response| is a [=network error=], or |response|'s
514513
[=response/status=] is 407 or 429, return.
515-
1. If |response|'s [=response/status=] is a [=redirect status=], and the
516-
destination does not have an HTTPS scheme and is not localhost, cancel the
517-
request and return.
518514
1. If |response|'s [=response/status=] is at least 300 and below 400, then
519515
return.
520516
1. If |response|'s [=response/status=] is 403:

0 commit comments

Comments
 (0)