Re: [whatwg/fetch] Allow range header to be set by APIs (#560)

jakearchibald commented on this pull request.



> @@ -3186,6 +3224,27 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
     <!-- not resetting actualResponse since it's no longer used anyway -->
   </ol>
 
+ <li>
+  <p>If <var>response</var>'s <a for=response>status</a> is <code>206</code>,
+  and <var>response</var>'s <a for=response>range requested flag</a> is set, and
+  <var>request</var>'s <a for=request>header list</a> does not <a for="header list">contain</a>
+  "<code>`Range`</code>", then return a <a>network error</a>.
+
+  <div class=note>
+   <p>Traditionally, APIs accept a ranged response even if a range wasn't requested. However, we
+   need to prevent a partial response from an earlier ranged request being provided to an API that
+   didn't make a range request.
+
+   <p>Example attack: A media element is used to request a range of a cross-origin HTML resource.

Does example make sense? It's thing we're actively preventing.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/560#discussion_r179707755

Received on Friday, 6 April 2018 09:43:52 UTC