- From: Mike West <notifications@github.com>
- Date: Mon, 18 Jun 2018 02:52:53 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/733/review/129489348@github.com>
mikewest approved this pull request. LGTM. This patch is a pretty reasonable definition of the feature, thanks for putting it together, @annevk! That said, I think there's enough subtlety here that it would be worth writing up a separate document that walked through the details, expectations, and rationales behind the header's design. The underlying proposal went through a few mutations, and it feels like we're doing it a disservice by only recording the algorithm, and none of the ancillary justification. If I pointed a developer to this section of Fetch, I suspect they'd have no idea what problem it attempts to solve, or why it's relevant to them at all. Anyway, LGTM to land the definition as something browser vendors can rely on while implementing, but I hope we can collectively find time to fill in some of the details at greater length. > + + <p class=note>This means that `<code>Cross-Origin-Resource-Policy: same-site, same-origin</code>` + ends up as <b>allowed</b> below as it will never match anything. Two or more + `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` headers will have the same effect. + + <li><p>If <var>policy</var> is `<code>same-origin</code>`, then return <b>blocked</b>. + + <li> + <p>If the following are true + + <ul class=brief> + <li><var>request</var>'s <a for=request>origin</a>'s <a for=url>host</a> is <a>same site</a> with + <var>request</var>'s <a for=request>current url</a>'s <a for=url>host</a> + <li><var>request</var>'s <a for=request>origin</a>'s <a for=url>scheme</a> is + "<code>https</code>" or <var>response</var>'s <a for=response>HTTPS state</a> is + "<code>none</code>" I feel like I had to think about what this means more than I'd like to. An explicit comparison seems simpler. Or maybe just skipping the check around? Is something like this equivalent? > If response's HTTPS state is `modern`, request's origin's scheme is `https`. > +<p>To perform a <dfn>cross-origin resource policy check</dfn>, given a <var>request</var> and +<var>response</var>, run these steps:</p> + +<ol> + <li><p>If <var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>", then return + <b>allowed</b>. + + <li> + <p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with + <var>request</var>'s <a for=request>current url</a>'s <a for=url>origin</a>, then return + <b>allowed</b>. + + <p class="note no-backref">A cross-origin response redirecting to a response that is + <a>same origin</a> or <a>same site</a> with the initial request and has a + `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header specified, does not affect + anything. I.e., <var>request</var>'s <a for=request>tainted origin flag</a> is not checked. Nit: I'd rephrase this a little bit. Perhaps something like "The cross-origin resource policy check does not consider a request's redirect chain when processing a given response's `Cross-Origin-Resource-Policy` header, but only the relationship between the requesting origin and the response which asserts the header."? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/733#pullrequestreview-129489348
Received on Monday, 18 June 2018 09:53:17 UTC