Re: [whatwg/fetch] From-Origin (#687)

@johnwilander In principle, I don't have a problem with making stricter behavior available as an opt-in. 

However, I worry about a model where unrelated cross-origin frames (outside of the ancestor chain of a given document and of the document's own descendants) can directly influence a document's behavior. For example, the situation you described seems to lead to a cross-origin information leak: evil.com can now infer if a tab from victim.com is loaded anywhere in its current process by returning different From-Origin values for its resources and seeing if they render, even if it doesn't have a reference to the victim.com window or its parent. Aside from security concerns, such "action at a distance" may lead to unexpected application failures, and doesn't seem easy to test for or debug.

Putting on my web author hat, the case you're describing is certainly possible, but due to `X-Frame-Options` lacking fine-grained origin-based controls, the majority of applications seem to default to only allowing same-origin framing; use of `frame-ancestors` is still relatively sparse. So I'd expect that the number of non-CORB-protected authenticated resources loaded in documents meant to be iframed across origins is relatively small compared to what `From-Origin` in "mode (2)" would protect from (and, in the case you're describing, those resources would be broken in situations in which they're currently working, so I'm not particularly convinced developers would be eager to opt into this mode.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-381313305

Received on Saturday, 14 April 2018 08:29:49 UTC