Service Worker 中的范围请求


媒体元素使用范围请求,当通过 sw 时,被标记为 no-cors 请求,并把 Range 请求头移除


However, media elements piece multiple responses together and treat it as a single resource, and that opens up an interesting attack vector: Can known data be mixed with unknown data to reveal the content of the unknown data?

Firefox 允许重定向后把不同源的内容组合在一起,能看到未知资源的长度。