- From: TanviHacks <notifications@github.com>
- Date: Tue, 17 Apr 2018 13:18:59 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 17 April 2018 20:19:22 UTC
> For example, the situation you described seems to lead to a cross-origin information leak: evil.com can now infer if a frame from victim.com is loaded anywhere in its current process by returning different From-Origin values for its resources and seeing if they render, even if it doesn't have a reference to the victim.com window or its parent. This could be an issue in general if From-Origin supports a list of origins and checks all frame ancestors. Example: * siteA.com embeds siteB.com but sets a referrer policy that strips the referrer. siteB.com doesn't know who is embedding it. * siteB embeds an image <img src="siteB.com">, that is delivered with "From-Origin: siteA.com, siteB.com". * From-Origin is spec'ed such that a resource only loads if all frame-ancestors are on the From-Origin list. (Option 1 in https://github.com/whatwg/fetch/issues/687#issuecomment-380905854) * siteB observes whether the image loads. If it loads, siteB knows it is embedded in siteA. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-382128393
Received on Tuesday, 17 April 2018 20:19:22 UTC