- From: Samuel Horwitz <notifications@github.com>
- Date: Mon, 08 Jan 2018 20:54:08 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 8 January 2018 20:55:13 UTC
`dns-prefetch` definitely should be blockable by CSP rules, if CSP is going to expand into prefetch data exfiltration prevention, see here for a proof of concept: https://blog.compass-security.com/2016/10/bypassing-content-security-policy-with-dns-prefetching/ The attack is literally `http://leakeddata.evildomain.com` leaking secret data to the DNS server logs. There already appears to be a non-standard header `X-DNS-Prefetch-Control` (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control). This however is a boolean which doesn't allow CSP-style fine tuning and I'm not really sure where it's even actually supported. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/658#issuecomment-356093141
Received on Monday, 8 January 2018 20:55:13 UTC