- From: Jake Archibald <notifications@github.com>
- Date: Fri, 06 Apr 2018 09:43:28 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 6 April 2018 09:43:52 UTC
jakearchibald commented on this pull request.
> @@ -3186,6 +3224,27 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
<!-- not resetting actualResponse since it's no longer used anyway -->
</ol>
+ <li>
+ <p>If <var>response</var>'s <a for=response>status</a> is <code>206</code>,
+ and <var>response</var>'s <a for=response>range requested flag</a> is set, and
+ <var>request</var>'s <a for=request>header list</a> does not <a for="header list">contain</a>
+ "<code>`Range`</code>", then return a <a>network error</a>.
+
+ <div class=note>
+ <p>Traditionally, APIs accept a ranged response even if a range wasn't requested. However, we
+ need to prevent a partial response from an earlier ranged request being provided to an API that
+ didn't make a range request.
+
+ <p>Example attack: A media element is used to request a range of a cross-origin HTML resource.
Does example make sense? It's thing we're actively preventing.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/560#discussion_r179707755
Received on Friday, 6 April 2018 09:43:52 UTC