How we built it

Response.redirected and a new security restriction

- Add .redirected attribute to Response class of Fetch API. Web developers can check it to avoid untrustworthy responses. - To avoid the risk of open redirectors (https://cwe.mitre.org/data/definitions/601.html) introduce a new security restriction which disallows service workers to respond to requests with a redirect mode different from "follow".

Comments

Safari has shipped Fetch API and Response.redirected attribute in Technology Preview. But not shipped Service Worker. Edge has shipped Fetch API. But not shipped Response.redirected attribute and Service Worker.

Documentation

Specification

Established standard

Status in Chromium

In development (launch bug)

Consensus & Standardization

  • Shipped
  • No public signals
  • Shipped
  • No signals

Owner

Last updated on 2016-11-29