no-cors opaque contains URI

Fixed Issue #11684657

Details

Author
Morgan G.
Created
Apr 17, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Fetch Standard

Found in build #
15.15063
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

Request made with the no-cors mode should return an opaque response. Opaque responses should be indistinguishable from network errors and contain no content, body, or URI.

Edge currently includes the URI, post redirects, in the Response object returned by Fetch.

Simple example:

<button onclick="fetch('//docs.com/me', {mode:'no-cors',authentication:'include'}).then(function(response) { console.log(response); alert(response.url);});">click me</button>

the alert should be empty. It is not empty, and in fact shows either a redirect to a login or the full path to your logged-in docs.com profile.

Attachments

1 attachment

Comments and activity

  • n.b. I’m not the original discoverer. This was originally reported to MSRC: http://mov.sx/2017/04/16/microsoft-edge-leaks-url.html

  • Microsoft Edge Team

    Changed Assigned To to “James M.”

    Changed Assigned To to “Venkat K.”

    Changed Assigned To from “Venkat K.” to “Lizette G.”

    Changed Status to “In code review”

    Changed Status from “In code review” to “In progress”

    Changed Status from “In progress” to “Fixed”

You need to sign in to your Microsoft account to add a comment.

Sign in