[MIX] Consider all CORS requests "active" from Jake Archibald on 2014-07-10 (public-webappsec@w3.org from July 2014)

From: Jake Archibald <jaffathecake@gmail.com>
Date: Thu, 10 Jul 2014 12:08:35 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJ5xic_-CnWLOvFPLdqKNev7UtECSYqMMj+Wnxvxiryo=UHBmQ@mail.gmail.com>

http://w3c.github.io/webappsec/specs/mixedcontent/#requirements-script

Currently, XHR & EventSource specifically fail when requesting insecure
content. This could be replaced with a general rule that CORS checks to
HTTP always fail. This also covers usually passive content that becomes
active via CORS, eg <img crossorigin>.

This means font requests to http would also fail, they could be given an
exception if needed.

In ServiceWorker, this means:

importScripts('http://...'); - fails
fetch('http://...'); - fails
cache.add('http://...'); - fails

…as they're all CORS dependant.

fetch('http://...', {mode: 'no-cors'});
cache.add(new Request('http://...', {mode: 'no-cors'}));

…these will give back a tainted response. Usual rules can apply if they're
used to satisfy requests to <script>, <img> etc.

Received on Thursday, 10 July 2014 11:09:02 UTC