Re: [whatwg/fetch] Integrate CORP and COEP (#1030) from Anne van Kesteren on 2020-06-03 (public-webapps-github@w3.org from June 2020)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 03 Jun 2020 03:17:37 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1030/review/423407432@github.com>

@annevk commented on this pull request.



> @@ -3871,6 +3980,10 @@ optional <i>CORS-preflight flag</i>, run these steps:
 
        <li><var>request</var>'s <a for=request>redirect mode</a> is not "<code>follow</code>" and
        <var>response</var>'s <a for=response>URL list</a> has more than one item.
+
+       <li><p><var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>" and
+       the <a>cross-origin resource policy check</a> with <var>request</var> and <var>response</var>
+       returns <b>blocked</b>.

Instead of calling it twice both here and in the HTTP layer, could we call it in a step before "If actualResponse’s status is a redirect status, then:"? Then we would only have to check the response once I think, whether it came from a service worker or the network.

It seems that would miss the 401/407 scenarios, but I wonder if those should not also invoke HTTP fetch (maybe the latter shouldn't though) as they end up bypassing the service worker as currently defined. Hmm.

Either way we should document what we're doing and why, potentially just in a source comment for now.

> @@ -3123,58 +3143,147 @@ response <a for=/>header</a> can be used to require checking a <a for=/>request<
 Cross-Origin-Resource-Policy     = %s"same-origin" / %s"same-site" / %s"cross-origin" ; case-sensitive
 </code></pre>
 
-<p>To perform a <dfn>cross-origin resource policy check</dfn>, given a <var>request</var> and
-<var>response</var>, run these steps:</p>
+<p>To perform a <dfn>cross-origin resource policy internal check</dfn>, given an

I don't think this algorithm works now we also use it for responses from a service worker as it primarily uses the request as authority, whereas the request has almost zero authority in such situations.

This is similar to the problem with the Cache API check and needs a similar solution.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1030#pullrequestreview-423407432

Received on Wednesday, 3 June 2020 10:17:52 UTC