Response.redirected and a new security restriction

- Add .redirected attribute to Response class of Fetch API. Web developers can check it to avoid untrustworthy responses. - To avoid the risk of open redirectors (https://cwe.mitre.org/data/definitions/601.html) introduce a new security restriction which disallows service workers to respond to requests with a redirect mode different from "follow".

Comments

Safari has shipped Fetch API and Response.redirected attribute in Technology Preview. But not shipped Service Worker. Edge has shipped Fetch API. But not shipped Response.redirected attribute and Service Worker.

Documentation

Specification

Established standard

Status in Chromium

Blink>Network>FetchAPI


Enabled by default (launch bug) in:

  • Chrome for desktop release 59
  • Chrome for Android release 59
  • Android WebView release 59
  • Opera release 46
  • Opera for Android release 46

Consensus & Standardization

  • Shipped
  • No public signals
  • Shipped
  • No signals

Owner

Last updated on 2017-07-20