Re: [whatwg/fetch] Remove Cache-Control and Expires headers from the CORS-safelisted response headers to prevent user tracking (#1128) from Anne van Kesteren on 2020-12-17 (public-webapps-github@w3.org from December 2020)

From: Anne van Kesteren <notifications@github.com>
Date: Thu, 17 Dec 2020 01:12:32 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1128/747312373@github.com>

Thanks for reporting this! I guess the question for @whatwg/security is to what extent we care about these kind of same-site attacks. E.g., I would expect browsers to soon clear cookies and the cache across a site. And it seems to me that even if we did not put these headers on the safelist, the site could safelist them or embed their information in the response itself.

Unless I'm missing something which is likely, there would be an untrustworthy same-site origin case left, but in general you should not have those to begin with as they can attack you in other ways as well.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1128#issuecomment-747312373

Received on Thursday, 17 December 2020 09:12:45 UTC