Re: [whatwg/fetch] From-Origin (#687)

> For the case where From-Origin specifies other origins, you have to either trust them or assume it's not a Spectre defense and just for purposes like hotlinking prevention.

For Spectre, it's not sufficient to just trust the sites that you allow to iframe your pages.  Those sites also have to have Spectre defenses of their own, or else an attacker can load them in a shared process via iframes or window.open.  Example attack using the names from above:
1) evil.com loads friend.com in same process (e.g., window.open).
2) friend.com loads victim.com in iframe.
3) evil.com accesses victim.com directly using Spectre.

That means that sites would have to be told to only allow embedding on sites they trust which also have effective From-Origin defenses of their own.  That might be possible, though it will probably make it harder for some sites in practice.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-382018042

Received on Tuesday, 17 April 2018 14:42:49 UTC