- From: youennf <notifications@github.com>
- Date: Mon, 07 May 2018 17:41:29 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/687/387144605@github.com>
> If all browsers ship process-isolation at the <iframe> boundary at some point this will also be a limitation of the feature that makes it harder for sites to use that want to be embedded as a widget. Perhaps we should consider a more complicated design: same/same-with-ancestors/same-site/same-site-with-ancestors. Or alternatively go back to the idea of requiring both From-Origin and X-Frame-Options to be specified. (If we include ancestor checking I think it should work identically to X-Frame-Options, including any referrer checks we may include there to avoid leaking the embedder. Splitting the responsibility between From-Origin and X-Frame-Options has some benefits: - Less risk to introduce mismatches between the two mechanisms - From-Origin would probably be easier to define/implement/use The main downsides I see so far is that a web site would currently need to make sure that any of its web page that can load a protected resource should be protected by X-Frame-Options. This might be difficult in practice. > For service workers we could go through the ancestor chain of the clients that are currently active (I would expect this for dedicated and shared workers), but that would not be very deterministic. I guess that means that once you have a service worker you need to be careful about X-Frame-Options/From-Origin for resources that can be intercepted. >From spectre perspective, it all depends on how service workers are run. If a service worker runs in its own per-origin process, it is fine for the service worker to get access to the resource without checking potential ancestors, so long as the service worker applies the ancestor checks before sending the response to the final context process. > I think failing for data: URLs (and sandboxed <iframe>s without same-origin) is fine. Making that work while still keeping things secure seems quite complex. I kind of agree but would like to point out some points that feel somehow inconsistent: - CORS loads from data: URLs iframes can succeed - data: URLs iframes might be able to load From-Origin protected resources from a service worker while they will never be able to load them directly (depending on where the From-Origin check is made). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-387144605
Received on Monday, 7 May 2018 17:41:55 UTC