- From: Lukasz Anforowicz <notifications@github.com>
- Date: Fri, 07 Dec 2018 14:32:06 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/681/445386123@github.com>
> If we shift the request server side and then send the response back to the client via the same origin, how does that stop third party js from intercepting and reading the response? I am not sure if I understand the scenario above (e.g. I don't understand what is meant by "shift the request server side" and "[have the server] send the response back to the client via the same origin"). Do you mean request initiated from https://bar.com to https://foo.com/secret.json and foo.com server redirecting to https://bar.com/secret.json? At any rate, CORB is a client-side security feature and it can't protect against information disclosure problems on the server side. > How do ad scripts still load json/html/js on pages even though they are obviously cross origin requests? CORB only blocks responses that cannot possibly be included in <img> or <script> or similar legacy tags - therefore CORB *would not* block Javascript / js (unless it is served with a wrong Content-Type). CORB *would* block json and/or html, but these only make sense in responses to fetch/XHR (and so would also be blocked by CORS). If ad scripts depend on cross-origin responses then either the responses are allowed by CORS (and so are not blocked by CORB) or the ad scripts are already broken (because the responses are blocked by CORS even before CORB looks at them). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/681#issuecomment-445386123
Received on Friday, 7 December 2018 22:32:27 UTC