- From: Andrew Sutherland <notifications@github.com>
- Date: Thu, 26 May 2016 10:22:51 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
- Message-ID: <whatwg/fetch/issues/159/221937304@github.com>
@annevk I think you proposed the bit about not caching redirects. I'm not sure we actually need it with the choice of requiring mode "same-origin", but mayhemer has keen eyes and and it did seem like an explicit decision that was not explicitly handled or further discussed, so I've brought it up. As I understand the threat model, the concern was that "only-if-cached" provided an attacker with a foolproof boolean means of identifying whether a given URL was in the cache whereas other means involve timing analysis that are potentially harder to reduce to a boolean. Ehsan raised the issue of "a redirect from same-origin to cross-origin and back to same-origin supposed to be handled" which indeed seems like a scenario where an attacker could gain some entropy if we returned a value in that case. (Granting that it's a weird scenario since it effectively requires the other-origin server to be in cahoots. But it might be useful for super-cookie hacks where you store entropy in the local http cache states of other origins that can be convinced to generate redirects to your domain somehow, one bit per distinct redirect. That way the entropy would persist for a while even if the user cleared all state for the visited attacker origin.) But by requiring a request mode of "same-origin", the spec already will cause a network error to occur when the HTTP-redirect fetch step 15 invokes main fetch and main fetch step 11's "same-origin" enforcement fires. (Because the basic fetch case above it will not fire because the current url origin and request's origin are not the same.) So maybe there's nothing to do or we just want to add more detail to the "only-if-cached" note on request's "cache mode". So `(Can only be used when request's mode is "same-origin".)` might become `(Can only be used when request's mode is "same-origin". Cached redirects within the origin will be followed, but any redirect out of the origin will result in a network error consistent with use of "same-origin".)`. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/159#issuecomment-221937304
Received on Thursday, 26 May 2016 17:23:19 UTC