Re: [whatwg/fetch] Add TAO check (#955)

annevk commented on this pull request.



> @@ -3894,6 +3908,10 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
     <p class="note no-backref">As the <a>CORS check</a> is not to be applied to
     <a for=/>responses</a> whose <a for=response>status</a> is <code>304</code> or <code>407</code>,
     or <a for=/>responses</a> from a service worker for that matter, it is applied here.
+
+   <li><p>If the <a>TAO check</a> for <var>request</var> and <var>response</var> returns failure,
+   then set <var>request</var>'s <a for=request>timing allow failed flag</a> and set
+   <var>response</var>'s <a for=response>timing allow failed flag</a>.

I think we should set this at the same time we set URLs on a response, in main fetch either before or after

> If internalResponse’s URL list is empty, then set it to a clone of request’s URL list.

> @@ -5075,6 +5083,34 @@ agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a
 </ol>
 
 
+<h3 id=tao-check>TAO check</h3>
+
+<p>To perform a <dfn id=concept-tao-check>TAO check</dfn> for a <var>request</var> and
+<var>response</var>, run these steps:
+
+<ol>
+ <li><p>If <var>response</var>'s <a for=request>timing allow failed flag</a> is set, then return
+ failure.
+
+ <li><p>If <var>request</var>'s <a for=request>tainted origin flag</a> is unset and
+ <var>response</var>'s <a for=response>location URL</a>'s <a for=url>origin</a> is
+ <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then return success.

It's possible, if the header says `*` (which arguably is also problematic for credentialed requests, but so be it) or `null` (which is what the `Origin` request header will contain).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/955#pullrequestreview-309850425