- From: Jake Archibald <notifications@github.com>
- Date: Tue, 10 Apr 2018 06:23:40 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/560/review/110832429@github.com>
jakearchibald commented on this pull request. > + <div class=note> + <p>Traditionally, APIs accept a ranged response even if a range wasn't requested. However, we + need to prevent a partial response from an earlier ranged request being provided to an API that + didn't make a range request. + + <p>The above step prevents the following attack attack: + + <p>A media element is used to request a range of a cross-origin HTML resource. Although this is + invalid media, a reference to a clone of the response can be retained in a service worker. This + can later be used as the response to a script element's fetch. If the partial response is valid + JavaScript (even though the whole resource is not), executing it would leak private data. + + <p>The response is replaced with an "ok" response to avoid triggering error events or rejections + in APIs, as this would also leak information about the response. + </div> + @annevk I moved these steps to Main Fetch, around where I think CORB blocking will go. I also replace the response with a new response, which is what I think CORB should do too, rather than filter the existing response. Does this make sense? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/560#pullrequestreview-110832429
Received on Tuesday, 10 April 2018 13:24:02 UTC