- From: abflow <notifications@github.com>
- Date: Tue, 06 Apr 2021 02:25:39 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1209@github.com>
### Context: The default mode of a request is "_no-cors_", meaning that, by default, the fetch API is unsafe to use, as pointed out in the specification, and also it is available by default in `script` tags, so that a tampered script loaded from a remote third-party CDN can also gain full network access within the context of the document or application. ### Background: In (https://github.com/whatwg/html/issues/6553), was introduced a declarative way for web developers to easily reason about network permissions without having to deal with HTTP headers, via the `allow-net` attribute in insecure HTML tags. This declarative of defining network policies would be more in line with the HTML specification, while offering: - enhanced, fine-grained network permissions, - the possibility to gain network isolation for critical parts of the document/application (https://github.com/whatwg/html/issues/6547) - the possibility to define and even extend declarative cross-origin communication scenarios, by leveraging the Shared Worker technology (https://github.com/whatwg/html/issues/6555). ### Proposal: The Fetch API can be made safe by default by using declarative network permissions in the parent scope, via the `allow-net` attribute in insecure HTML tags. ### Example: ```html <script allow-net="https://example.com"> /* Script has only access to https://example.com */ /* Following fetch will fail */ fetch('http://anothersite.com/data.json') .then(response => response.json()) .then(data => console.log(data)); /* Following fetch will likely succeed */ fetch('http://example.com/data.json') .then(response => response.json()) .then(data => console.log(data)); </script> <script > /* Script does not have network access */ /* Following fetch will fail */ fetch('http://example.com/data.json') .then(response => response.json()) .then(data => console.log(data)); </script> ```` Those declarative permissions could be set at the level of the whole document in the `head` attribute, or in a fine-grained way within insecure HTML tags such as `iframe`, `portal`, `script`, etc., that is, everywhere the Fetch API can be used. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1209
Received on Tuesday, 6 April 2021 09:25:52 UTC