- From: Mike West <notifications@github.com>
- Date: Tue, 24 Jan 2017 04:16:35 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/465@github.com>
Hard-coding credentials into subresource requests (e.g.
`https://user:pass@host/`) is problematic from a security perspective,
as it's allowed folks to brute-force credentials in the past, enables
session fixation attacks for sites using basic auth, and can allow
attackers access to well-known, poorly-coded devices (such as users'
routers). Moreover, the ability to hard-code credentials leads to
inadvertant leakage via XSS on the one hand, and poor development
practice on the other. Sifting through HTTPArchive, for example, yields
a number of credentials for test servers and other internal
architecture.
Usage of the `http://user:pass@host/` pattern has [declined significantly
in the last few years][1]; given that low usage, closing this small
security hole seems quite reasonable.
[1]: https://www.chromestatus.com/metrics/feature/timeline/popularity/532
You can view, comment on, or merge this pull request online at:
https://github.com/whatwg/fetch/pull/465
-- Commit Summary --
* Block subresource requests whose URLs include credentials.
-- File Changes --
M fetch.bs (5)
-- Patch Links --
https://github.com/whatwg/fetch/pull/465.patch
https://github.com/whatwg/fetch/pull/465.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/465
Received on Tuesday, 24 January 2017 12:17:12 UTC