- From: Adam Rice <notifications@github.com>
- Date: Fri, 18 Jun 2021 08:27:00 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1189/864117482@github.com>
> Would this mean that the allowlist couldn't be expanded since we could similarly never know if it's safe to allow any currently blocked port? Yes, I think we would never add new ports to the allowlist, only remove them. > Would a devtools configured exception be possible to use while not keeping devtools open (i.e. similar to adding an exception to your firewall)? I've seen many cases where the presence of devtools significantly slows down the site, and it's awkward to lose that screen real estate when you're not working on the site. So essentially it would be a normal browser setting, but hidden in devtools rather than on the usual setting page? It might work. > Alternately, could we get most of the benefit without some of the pain by not restricting the main navigation, but only restricting sub-resource requests (explicitly allowing them to the ip:port used for the main navigation)? I think the security benefits of this are not that great, since you can perform many attacks just by using a form with POST. However, it might be a good transitional stage to get web developers used the idea of there being an allowlist. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1189#issuecomment-864117482
Received on Friday, 18 June 2021 15:27:25 UTC