Re: [whatwg/fetch] From-Origin (#687)

> It doesn't seem necessary to have From-Origin effectively control what frames are allowed to load in a given application because developers already have that lever: Content-Security-Policy: frame-src. An application which doesn't ever need to load cross-origin frames can ensure that it's safe from Spectre if it sets frame-src, frame-ancestors and From-Origin, to 'self' on all of its responses even if From-Origin only looks at the origin of the embedding document and ignores frames.

Agreed, though there's still an assumption that other cross-site pages wouldn't end up in the same process, independent of what that application allowed via CSP and From-Origin.  For example, in Chrome without Site Isolation, a cross-site page in an entirely unrelated tab might end up in the same process (e.g., if the user has many tabs open and an existing process gets reused for it).  If that page had a Spectre attack, it could access the application's data despite being in an unrelated tab.

This could certainly still be prevented if browsers took process sharing into account with From-Origin (as I think is being proposed).  I just didn't see it covered in the recent summaries of what browser behavior From-Origin would require.  Presumably top-level navigations to pages with From-Origin headers would have to go into dedicated processes that don't get reused for other sites.  Implementing that would require cross-process navigations (as @rniwa mentioned earlier), since a tab could start out on an unrestricted page and then navigate to a page with a From-Origin header.  Does that sound correct?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-381050079