- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 12 Mar 2020 06:32:55 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1006/598187679@github.com>
@martinthomson and I have been musing on a TLS connection flag that opts out of all CORS preflights for the connection. That coupled with sufficient pushback against non-header-based approaches when headers are appropriate could be a viable alternative. As for your suggested solutions: 1. This seems rather scary. The threat is really being able to trick the server and it's unknown what all servers can be tricked with. What is known is that since the dawn of HTML forms they had to at least not be susceptible to them. 2. This would require servers to pay attention, forever. (Or get a better architecture, if they haven't already.) To some extent they have to pay attention because of TLS, but also not really. 3. This is a variant of 2 with a one-time cost. Unfortunately, none of them deal with the fact that these days there's not just restrictions on headers, but also the size. We restrict the maximum length of a `Referer` header (currently 4096 bytes, but 2048 is/was investigated) and each header that can bypass a CORS preflight can have a value that's a maximum of 128 bytes (and there's a further maximum of 1024 total, but that cannot be reached). This helps prevent information leaks and certain cache attacks. I suspect that if we opened the floodgates, everyone would start hitting the size limits pretty quickly and we'd be back at square one. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1006#issuecomment-598187679
Received on Thursday, 12 March 2020 13:33:08 UTC