Re: [whatwg/fetch] CORS: arbitrary blocking of accept header based on length (#862) from Ruben Verborgh on 2019-01-29 (public-webapps-github@w3.org from January 2019)

From: Ruben Verborgh <notifications@github.com>
Date: Tue, 29 Jan 2019 05:12:56 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/862/458534490@github.com>

@annevk Thanks. Is there any indication that the length restriction (in general, or to the specific values of 128/1024) mitigates any concrete attacks, or is this purely speculative?

> Until it consents to CORS the browser should do its best to protect the server.

That is a good principle indeed, but in absence of concrete evidence that length restrictions in HTTP scenarios provide additional protection on top of character restrictions, it is hard to conclude that it contributes to actual protection as opposed to a false feeling of security that involves overhead.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/862#issuecomment-458534490

Received on Tuesday, 29 January 2019 13:13:17 UTC