- From: Jun <notifications@github.com>
- Date: Wed, 04 Nov 2020 23:32:39 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 5 November 2020 07:32:51 UTC
There is an inconsistency in CORP, where CORP is not enforced on a request with _navigate_ mode (e.g. a site embedded by an iframe). While I understand that `X-Frame-Options` or `CSP: frame-ancestors` can do this, there are few problems. 1. Developer might think that a resource (e.g. image) is protected by CORP, but it can be leaked if that resource is loaded by an iframe (assuming that the browser doesn't support Site Isolation). While SharedArrayBuffer might not be available in this context, attacker can still take advantage of the [amplification technique](https://v8.dev/blog/spectre#amplification). 2. Destination URL of a redirect can be leaked because [XFO is not enforced in a redirect](https://bugs.chromium.org/p/chromium/issues/detail?id=835465). I think it'd be better to enforce CORP on a request with _navigate_ mode as well. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1113
Received on Thursday, 5 November 2020 07:32:51 UTC