- From: Mike West <notifications@github.com>
- Date: Mon, 16 Apr 2018 08:23:44 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/700/381519400@github.com>
> I think it would only mitigate the risk if those were the only values transmitted. Well, let's start with that as a baseline: could we agree that sending the three-value enum would be fine? I believe there's some real value in more granularity above and beyond that enum for services that wish to expose data to some subset of cross-origin entities, but not all cross-origin entities (for example: `mail.google.com` might trust `accounts.google.com`, but not `docs.google.com`; `google.de` might trust `accounts.google.com`, but not `evil.com`) Neither `same-site` nor `cross-site` would be granular enough to create those ACLs). Perhaps we could send both? That is, we might send `Sec-Site: same-site, https://docs.google.com` and `Sec-Site: cross-site, https://evil.com`? Developers could be encouraged to check the low-granularity bit that they know will always be present, and look to the origin when included to increase the check's robustness? (As an aside: is this a practical concern, or a theoretical concern? That is, is Mozilla pondering killing `referer` (or revisiting @briansmith's https://briansmith.org/referrer-01)? That would be interesting!) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/700#issuecomment-381519400
Received on Monday, 16 April 2018 08:24:10 UTC