Open NAndreasson opened 8 years ago
This is very much related to #56 ; we should do the same thing for this and fetch API.
@annevk do you have any thoughts on how to most easily (or least intrusively) do this (at least for fetch)?
We need to make sure that a labeled-json
response cannot be marshalled as anything but that.
I don't think we should be extending XMLHttpRequest
. I'll reply in the other issue for fetch()
.
As it is, one could choose a different
responseType
than"labeled-json"
, to access the received data, even if the server operator has set the Content-Type of the response to be equalapplication/labeled-json
. So essentially it is possible to set the responseType tojson
to receive the response as json instead, and thus bypass the confinement that we want after inspecting the response.We probably want to make sure that response is null in the case of
Content-Type: application/labeled-json
andxhr.responseType != labeled-json
.http://w3c.github.io/webappsec-cowl/#receive-labeled-object
Example
Server operator
Developer
Could probably be accessed via
xhr.responseText
as well.+@deian