- From: arturjanc <notifications@github.com>
- Date: Tue, 05 Nov 2019 23:56:59 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/948/c550190742@github.com>
I think we all want to make a decision here and I don't want to derail a productive discussion, but IMHO there are 3 problems with `mode`=`navigate` for `embed`/`object`: 1. It seems counter-intuitive: in my mental model an `<embed>` or `<object>` work similarly to `<img>` or any other element that loads a non-document subresource. The fact that browsers create a browsing context for some MIME types seems like an implementation detail; I doubt developers are aware of this or rely on it -- I've never seen a browsing context created via `embed` be navigated like an iframe. 2. It is currently unsafe (with respect to Fetch Metadata) because it allows loading images via `<embed>`, and Firefox ignores `X-Frame-Options`/`frame-ancestors` in this case. If a site prevents `cross-site` loading of images but allows `cross-site` navigations, and sets `X-Frame-Options` to protect from embedding, an attacker will still be able to load images cross-site via `<embed>` and e.g. exflitrate them via Spectre. 3. It will complicate writing Fetch Metadata policies that protect from framing because developers will need to consider framed loads via `object` and `embed`, in addition to `frame` and `iframe`. (But this would arguably be the same with @mikewest's `no-cors-on-initial-load-and-then-navigate` model.) Basically, I think that `navigate` here prioritizes what makes sense to a browser over what makes sense to web developers, and `no-cors` would be a better fit (for a developer, though not necessarily for a browser) and be safer. That said, if we can guarantee that `<embed>`/`<object>` always works exactly the same as an iframe, e.g. respects `X-Frame-Options` and doesn't give the embedder any new ways to interact with the loaded resource such as triggering events that a load in an iframe wouldn't trigger, then I think I can live with `navigate`. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/948#issuecomment-550190742
Received on Wednesday, 6 November 2019 07:57:01 UTC