Re: [whatwg/fetch] Add TAO check (#955) from Anne van Kesteren on 2019-10-30 (public-webapps-github@w3.org from October 2019)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 30 Oct 2019 06:16:02 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/955/review/309174650@github.com>

annevk commented on this pull request.

Really glad to see this happening, but I think the details ought to change a bit.

(This relates to #953.)

> @@ -1548,10 +1548,15 @@ Unless stated otherwise, it is unset.
 <p>A <a for=/>request</a> has an associated <dfn export for=request id=done-flag>done flag</dfn>.
 Unless stated otherwise, it is unset.
 
+<p>A <a for=/>request</a> has an associated
+<dfn export for=request id=timing-allow-failed-flag>timing allow failed flag</dfn>. Unless stated
+otherwise, it is unset.

Why would we not store this on the response?

> @@ -3896,6 +3901,9 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
     or <a for=/>responses</a> from a service worker for that matter, it is applied here.
   </ol>
 
+ <li><p>If the <a>TAO check</a> for <var>request</var> and <var>response</var> returns failure, then
+  set <var>request</var>'s <a for=request>timing allow failed flag</a>.

All the responses from a service worker would either already have a TAO check performed or are safe so I think we want the same setup as CORS here. It's not clear to me why different considerations would apply.

> @@ -5075,6 +5083,34 @@ agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a
 </ol>
 
 
+<h3 id=tao-check>TAO check</h3>
+
+<p>To perform a <dfn id=concept-tao-check>TAO check</dfn> for a <var>request</var> and
+<var>response</var>, run these steps:
+
+<ol>
+ <li><p>If <var>response</var>'s <a for=request>timing allow failed flag</a> is set, then return
+ failure.
+
+ <li><p>If <var>request</var>'s <a for=request>tainted origin flag</a> is unset and
+ <var>response</var>'s <a for=response>location URL</a>'s <a for=url>origin</a> is
+ <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then return success.

Instead of this, I think we should skip this check when request's response tainting is "basic". Otherwise, when you have A -> B -> A, we won't do a TAO check for the final A, right? That would be problematic.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/955#pullrequestreview-309174650

Received on Wednesday, 30 October 2019 13:16:04 UTC