- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 10 Aug 2016 05:42:12 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/365@github.com>
Notes from @jakearchibald: * A header on the response which prevents the browser using a response if it's initiated by another origin, with the exception of top-level GET navigations where the initiator has no access to a WindowProxy or a load event * Can be easily added to all requests like x-frame-options, with exceptions where needed (including whitelisting a particular origin) * Without those exceptions it would break basic <img> and <script> linking, although some hosts may be happy with the ability to do that * Protects unauthenticated-but-private hosts like local servers and intranets * Also prevents clickjacking and window.open, so load times that may be influenced by origin storage aren't exposed * Doesn't really protect against CSRF, as the credentialed request is still sent to the target * Abandoned, but its intent could be revived. Feels like a good fit for CSP given CSP has frame-ancestors * Would need to terminate the connection upon failure, to prevent exposing size through TCP windows This could be part of CSP, but CSP thus far doesn't have response-specific rules. So it's more like a logical counterpart to CORS. @mikewest? (See #355 and https://github.com/w3c/resource-timing/issues/64 for some earlier discussion on this. See https://www.w3.org/TR/2012/NOTE-from-origin-20120529/ for an earlier iteration of this idea, with somewhat different semantics.) --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/365
Received on Wednesday, 10 August 2016 12:42:48 UTC