Re: [whatwg/fetch] From-Origin (#687) from Mike West on 2018-05-18 (public-webapps-github@w3.org from May 2018)

From: Mike West <notifications@github.com>
Date: Fri, 18 May 2018 00:45:57 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/687/390124209@github.com>

I chatted with @annevk a little this morning, and my understanding of his narrowing suggestion is the following:

1.  `from-origin` would be folded into https://fetch.spec.whatwg.org/#corb-check as another way of triggering its blocking behavior.
2.  `from-origin` would apply only to cross-origin, `no-cors` requests. That is, it would cover things like `<img>`, `<script>`, etc, but developers would also need `frame-ancestors` or XFO for protection against embedding.
3.  We would neither walk the ancestor chain, nor consider other frames, windows, etc. that might live in the same process as the requesting context.

Relatedly, I'm convinced by @arturjanc's argument here and elsewhere that interesting web applications with equally interesting cross-origin relationships are going to have a hard time deploying something like this unless we give them more flexibility than `same` and `same-site`. That concern is mitigated to some extent by limiting the header's effect to `no-cors` requests, but I don't think it's obviated, given things like JSONP endpoints that could use more granularity. I'd suggest that a list of origins (or sites) would be a reasonable mechanism to add to this header.

If we accept the above, then I think the Fetch spec change might look something like something like:
    
> 7. If request's origin is not same origin with request's current url's origin, and request's mode is `no-cors`, and request's header list contains `From-Origin`:
>
>     1. [Process `From-Origin` to get a list of origins (sites?)]
>     2. [If the header was invalid, continue.]
>     3. [If request's origin is not contained in the list, return **blocked**]

Does that match your understanding, @annevk?

(And, since we're bikeshedding already, the name "From-Origin" seems overly broad if this is the model we're running with. `CORB-Me-Unless-Im-Being-Requested-By: same-site` is a terrible suggestion, I'm sure we can come up with more together. :nerd_face:)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-390124209

Received on Friday, 18 May 2018 07:46:21 UTC