- From: John Wilander <wilander@apple.com>
- Date: Wed, 28 Mar 2018 09:46:23 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: lukasza@chromium.org, nick@chromium.org, creis@chromium.org
- Message-id: <87EBC510-71FF-41AA-9D6C-41C605532970@apple.com>
Hi WebAppSec (cc Lukasz, Nick, and Charlie from Chromium)! FYI, we just filed this issue with whatwg/fetch: Websites should have an explicit way to restrict any kind of cross-origin load to protect themselves against Spectre attacks. Content such as images, video, and audio may be sensitive and websites may be protected solely by virtue of their network position (inside a firewall), relying on the same-origin policy to protect against exfiltration. There's a previous proposal from 2012 called the From-Origin header <https://www.w3.org/TR/from-origin/> that we'd like to resurrect. With it, a server can send a From-Origin : same header on responses it wants to protect from Spectre attacks. Here's a snippet from the currently inactive proposal: The From-Origin header can be used to restrict embedding of a resource to only certain origins. When used it must match the following ABNF: From-Origin = "From-Origin" ":" #(serialized-origin | "same") Cross-Origin Read Blocking (CORB) <https://github.com/whatwg/fetch/issues/681> automatically protects against Spectre attacks that load cross-origin, cross-type HTML, XML, and JSON resources, and is based on the browser’s ability to distinguish resource types. We think CORB is a good idea. From-Origin would offer servers an opt-in protection beyond CORB. In addition to the original proposal, we might want to offer servers a way to say cross-origin requests are OK within the same eTLD+1, e.g. the server may want to say that cross-origin subresources from cdn.example.com may be loaded from *.example.com without listing all those origins. https://github.com/whatwg/fetch/issues/687 <https://github.com/whatwg/fetch/issues/687> Regards, John
Received on Wednesday, 28 March 2018 16:46:49 UTC