- From: arturjanc <notifications@github.com>
- Date: Thu, 17 Oct 2019 13:40:23 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/948/c543352516@github.com>
> weigh in on the threat model around `no-cors` and `navigate`, and whether my assertions above match the mental model his team is working with. They do match our mental model: we expect developers to focus on blocking cross-site `no-cors` loads while allowing navigations so they protect from XS-Leaks but still allow incoming links to work. One counterexample could be sites that don't care about XS-Leaks but want to more tightly control navigations to defend from XSS and e.g. prevent cross-site navigations to anything but a tightly controlled set of application endpoints. But for this -- less common -- scenario developers already have `X-Frame-Options` to fall back on so the resource shouldn't render when it's embedded; we can also publish reference logic that will consider a cross-site `mode`=`no-cors` + `dest`=`embed`/`object` request as a potential navigation (in addition to `mode`=`navigate`). This complication in the less likely use case for Fetch Metadata seems like a good trade-off compared to requiring everyone who cares about XS-Leaks to implement special handling for loads via `embed`/`object`. Overall, I like the model of having initial loads via `embed`/`object` be `no-cors`, but turn into `navigate` when the browsing context gets navigated. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/948#issuecomment-543352516
Received on Thursday, 17 October 2019 20:40:26 UTC