Re: [whatwg/fetch] What to do about requests that should (maybe) preflight but don't? (#567)

I have tried to explore that boundary (see also #530), but I don't think anyone has a concrete answer and browser security teams have certainly dropped the ball a bit as of late (and don't seem to have concrete advice either).

`GET` and `POST` are both fine within the confines of `<a>` and `<form>` as that is what we allowed historically (probably for worse, but so be it). (And can be made invisible with `<iframe>`.) Non-`GET`-non-`POST` is tricky. We used `OPTIONS` for CORS preflights. I suspect we'd rather not add more there.

Unique MIME types are generally fine. But yes, if you have `+json` MIME type there's a risk that a permissive server might extract something from it. At that point it depends how much of the payload is controlled by the attacker.

We should probably also stress that the moment you go beyond CORS, credentials have to be disabled, including HTTP authentication. Doesn't help with intranets or IP-based authentication, but it reduces some of the damage that can be done.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/567#issuecomment-317655857

Received on Tuesday, 25 July 2017 07:38:10 UTC