- From: Jake Archibald <notifications@github.com>
- Date: Thu, 29 Jun 2017 10:50:17 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/144/311931320@github.com>
I pitched the following to our security team:
----
* Add "Range" to safelist headers, allowing it to be sent to any server. Perhaps restrict value to "bytes=[number]-[optional number]" if that offers any protection.
* Return a network error if any of the following is true:
* The response has status 206 and request does not have a range header.
* The response has status 206, the response is opaque, and the request url is not the first entry in the response url list.
My assumption is that APIs that range requests are only used by media elements and downloads (which I'll need to verify). This means you can't interpret a portion of a resource as script/css/etc.
Additionally, APIs consuming ranged responses should ensure all parts of a range have the same first entry in the response url list for a given resource.
----
However, there's still a worry that this new capability carries significant risk, and that we should look for another way forward.
The alternative solution is to find a way to mark a request as "allowed privileged headers", and allow the Range header in that case. Modifying the request in any way would remove the "allowed privileged headers" flag, meaning you couldn't take an internally-created Range request & change the URL & make the request, but you could do fetch(fetchEvent.request) if it had a Range header.
This means `new Request(request)` would copy `request`s "allowed privileged headers" flag, although modifying `request.headers` will unset it. `new Request(request, init)` would return a request with "allowed privileged headers" unset.
In addition to this, we should still:
* Return a network error if any of the following is true:
* The response has status 206 and request does not have a range header.
* The response has status 206, the response is opaque, and the request url is not the first entry in the response url list.
Additionally, APIs consuming ranged responses should ensure all parts of a range have the same first entry in the response url list for a given resource.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/144#issuecomment-311931320
Received on Thursday, 29 June 2017 10:50:50 UTC