Re: [whatwg/fetch] Consider preserving destination on `new Request(request)` (#717) from Ben Kelly on 2018-04-26 (public-webapps-github@w3.org from April 2018)

From: Ben Kelly <notifications@github.com>
Date: Thu, 26 Apr 2018 07:05:13 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/717/384653109@github.com>

Maybe a stupid idea, but could we:

1. Stash the original request's destination in some internal value.  Lets call it "original destination".
2. Add a CSP token that allows connect-src to inspect the original destination and apply its policy instead.  Lets call this "use-original-destination" for lack of a better name for now.

This would let a service worker use a CSP like:

  default-src self; image-src *; connect-src use-original-destination;

This would give the service worker a more restrictive policy than what it would need otherwise:

  default-src self; connect-src *;

And it would open up the XSS for pages unless they opt-in to the "use-original-destination" policy.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/717#issuecomment-384653109

Received on Thursday, 26 April 2018 14:05:44 UTC