Re: [whatwg/fetch] Add TAO check (#955)

npm1 commented on this pull request.



> @@ -3894,6 +3908,10 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
     <p class="note no-backref">As the <a>CORS check</a> is not to be applied to
     <a for=/>responses</a> whose <a for=response>status</a> is <code>304</code> or <code>407</code>,
     or <a for=/>responses</a> from a service worker for that matter, it is applied here.
+
+   <li><p>If the <a>TAO check</a> for <var>request</var> and <var>response</var> returns failure,
+   then set <var>request</var>'s <a for=request>timing allow failed flag</a> and set
+   <var>response</var>'s <a for=response>timing allow failed flag</a>.

Done

> @@ -5075,6 +5083,34 @@ agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a
 </ol>
 
 
+<h3 id=tao-check>TAO check</h3>
+
+<p>To perform a <dfn id=concept-tao-check>TAO check</dfn> for a <var>request</var> and
+<var>response</var>, run these steps:
+
+<ol>
+ <li><p>If <var>response</var>'s <a for=request>timing allow failed flag</a> is set, then return
+ failure.
+
+ <li><p>If <var>request</var>'s <a for=request>tainted origin flag</a> is unset and
+ <var>response</var>'s <a for=response>location URL</a>'s <a for=url>origin</a> is
+ <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, then return success.

Hmm ok, I'll ask around to see if someone can explain to me the tainted origin flag within CORS. I'd like to better understand what it solves so that I can see how it could also solve problems with TAO. In the meantime, I'm ok including the 'serializing a request origin' since hopefully this would just be an edge case in the wild, thus not breaking a lot of performance monitoring.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/955#discussion_r341301504