Re: [whatwg/fetch] Add TAO check (#955) from npm1 on 2019-10-30 (public-webapps-github@w3.org from October 2019)

From: npm1 <notifications@github.com>
Date: Wed, 30 Oct 2019 17:59:35 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/955/review/309407363@github.com>

npm1 commented on this pull request.



> @@ -1548,10 +1548,15 @@ Unless stated otherwise, it is unset.
 <p>A <a for=/>request</a> has an associated <dfn export for=request id=done-flag>done flag</dfn>.
 Unless stated otherwise, it is unset.
 
+<p>A <a for=/>request</a> has an associated
+<dfn export for=request id=timing-allow-failed-flag>timing allow failed flag</dfn>. Unless stated
+otherwise, it is unset.

Ah I see, I've added a similar flag on the response so that the caller does not need to check the request but rather can just check the flag on the final response. It looks a bit redundant, but does this work? Let me know if this is not what you were thinking, or if actualResponse also needs to be changed (I'm not sure I follow what the difference between those two is but I see response is the one being returned).

> @@ -5075,6 +5083,34 @@ agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a
 </ol>
 
 
+<h3 id=tao-check>TAO check</h3>
+
+<p>To perform a <dfn id=concept-tao-check>TAO check</dfn> for a <var>request</var> and
+<var>response</var>, run these steps:
+
+<ol>
+ <li><p>If <var>response</var>'s <a for=request>timing allow failed flag</a> is set, then return
+ failure.
+
+ <li><p>If <var>request</var>'s <a for=request>tainted origin flag</a> is unset and
+ <var>response</var>'s <a for=response>location URL</a>'s <a for=url>origin</a> is
+ <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then return success.

Hmm interesting, I notice that if we keep the check then that would mean it's impossible for timing allow checks to pass when you have two crossed origins, which seems undesirable? I'd think if all of the responses have the appropriate header, then there's no reason to fail the TAO check. And the same-origin check is only valid up until the response tainting stops being 'basic', so explicit headers would be required after one cross origin change.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/955#discussion_r340771694

Received on Wednesday, 30 October 2019 17:59:39 UTC