- From: arturjanc <notifications@github.com>
- Date: Thu, 12 Apr 2018 13:25:19 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/687/380803971@github.com>
Thanks, Anne -- in this case, let's leave the `Sec-Site` question for a separate thread and focus on `From-Origin` here. I like the idea and think we should do it, but there are two caveats that are worth pointing out: 1. Deploying `From-Origin` may be tricky in a fair number of applications because developers don't have visibility into the requesters of their resources. E.g. if they start serving `From-Origin: "same"` on resources that are legitimately loaded by a non-same-origin document, these loads will break in a way that's not easy to identify or predict in advance (short of first doing a study which gathers `Referer` values -- which isn't foolproof because of Referrer Policy and the header being stripped in many cases). 2. Unlike the request header approach, it will not protect against bugs such as CSRF, cross-origin timings, or cases where the attacker can observe the size of the response (e.g. a local-network attacker even if the traffic is over HTTPS) because the server still emits the response as usual. Both of these are fine if we see the header as a narrowly focused Spectre mitigation for responses not covered by CORB, such as images, but I think there is still room to do more and address cross-origin leaks (and Spectre) in a more general way. Somewhat separately, I'd also suggest making the source list syntax compatible with CSP (e.g. `'self'` instead of `"same"`, etc.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-380803971
Received on Thursday, 12 April 2018 13:25:44 UTC