| 09:32 | <annevk> | domfarolino: 1) if A requests A, the flag isn't set and TAO isn't required, 2) if A requests A redirects to B the flag isn't set and TAO is required (for B), and 3) if A requests A redirects to B redirects to C the flag is set (but only from B to C) and TAO is required (for B and C) |
| 13:35 | <domfarolino> | annevk: and I guess the issue is that the flag isn’t set for A -> B even though we need the TAO check for B? |
| 16:55 | <annevk> | domfarolino: that is a problem, yes |
| 17:12 | <domfarolino> | annevk: Indeed, that's why I was curious if it would work in addition to a same-origin-ness check like npm1 had. But yeah, checking response tainting is cleaner |