Re: [whatwg/fetch] From-Origin (#687)

Applying to all resource types/loads sounds reasonable to me.

When it comes to what it means to be loaded from a document of a given origin, the most obvious answer seems to be (2): "check the origin of the document in which the resource is loaded", which is consistent with how other parts of the platform work (e.g. the `Referer` and `Origin` headers, `window.origin`, or `event.origin` in a postMessage all identify the location of the current document, rather than the entire ancestor chain, or set of the origins of all sibling frames.)

The reason I find (4) fairly strange is two-fold:
1) It doesn't seem necessary to have `From-Origin` effectively control what frames are allowed to load in a given application because developers already have that lever: `Content-Security-Policy: frame-src`. An application which doesn't ever need to load cross-origin frames can ensure that it's safe from Spectre if it sets `frame-src`, `frame-ancestors` and `From-Origin`, to `'self'` on all of its responses even if `From-Origin` only looks at the origin of the embedding document and ignores frames.

2) Framing a resource is a choice on part of the developer. If the application loads an iframe, it generally means the developer wants the iframe to be part of her application, or otherwise she would remove it (or possibly prevent it from loading via CSP). IIUC option (4) means that developers would be required to either remove all cross-origin frames or set `From-Origin` to a union of the origins of frames loaded in their application, or otherwise loading `From-Origin`-protected resources would break. Whitelisting these external origins in `From-Origin` would mean that *any* document in these origins would now be able to execute Spectre-like attacks on the application's resources at any time, rather than just the single explicitly iframed document while the user is interacting with the application.

Basically, I don't see how this would be better than letting developers control framing via existing mechanisms and making `From-Origin` care only about the origin of the document loading the resource.
 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-380948719

Received on Thursday, 12 April 2018 21:23:38 UTC