Re: [whatwg/fetch] Cross-Origin Read Blocking (CORB) (#681) from Jake Archibald on 2018-04-06 (public-webapps-github@w3.org from April 2018)

From: Jake Archibald <notifications@github.com>
Date: Fri, 06 Apr 2018 11:30:17 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/681/379226334@github.com>

I'm currently looking to enable range requests to pass through a service worker safely, and later I'll specify how various web APIs should make range requests and validate responses.

Although CORB is involved in the same area, the goals are different, but we should be aware of overlap 😄.

Here's a summary of the similarities and differences, as I understand them:

CORB's goal is to prevent bringing data into the content process, whereas I'm aiming to prevent exposing data to script. CORB is best-effort, with compatibility in mind, whereas I need to strictly avoid exposing opaque data to script.

CORB will [filter opaque partial responses if they match particular content types](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#determining-whether-a-response-is-corb_protected). This prevents an audio/video element being used to bring data that's potentially sensitive into the content process.

https://github.com/whatwg/fetch/pull/560 prevents [Attack 4](https://github.com/whatwg/fetch/issues/144#issuecomment-368040980), where a `<script>` is given a partial response that may contain private data. CORB will make this a lot harder for particular content types, but https://github.com/whatwg/fetch/pull/560 prevents this particular attack for all content types.

CORB recommends against multipart range requests. Currently range requests aren't specced from that API's point of view, but I'm trying to define it. I don't plan to use multiple ranges in a single response, and once specced, browsers shouldn't make kinds of range requests that aren't explicitly allowed.

I intend to make media elements reject responses that would result in a mix of opaque and visible data being treated as the same media resource. This prevents [Attack 1](https://github.com/whatwg/fetch/issues/144#issuecomment-368040980).

I intend to make media elements reject responses that would result in opaque data from multiple URLs being treated as the same media resource. This prevents [Attack 2](https://github.com/whatwg/fetch/issues/144#issuecomment-368040980).

I intend to make range supporting APIs fail if the partial response starts at an offset other than the requested range. This prevents [Attack 3](https://github.com/whatwg/fetch/issues/144#issuecomment-368040980).

In intend to make downloads fail/restart if content identifying headers change between requests. Such as total length in `Content-Range`, `Content-Type`, `ETag`, `Last-Modified`.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/681#issuecomment-379226334

Received on Friday, 6 April 2018 11:31:09 UTC