[whatwg/fetch] Request constructor should propagate origin internal field (#1321) from Ben Kelly on 2021-10-06 (public-webapps-github@w3.org from October 2021)

From: Ben Kelly <notifications@github.com>
Date: Wed, 06 Oct 2021 12:29:47 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1321@github.com>

Currently, the Request constructor always resets the request `origin` internal field to "client".  See step 12 in:

https://fetch.spec.whatwg.org/#dom-request

This is problematic because a pass-through FetchEvent SW handler will end up using the service worker's origin for things like:

* Origin header
* Sec-Fetch-Site header
* SameSite cookies

It would be safer for sites if we propagated the internal `origin` field from the original request.  We also need to propagate the `tainted origin flag` as well in order to properly handle redirects.

This was discussed at the virtual F2F (w3c/ServiceWorker#1604).  [Notes](https://docs.google.com/document/d/1q74ATke1oG2jEval1yBTVIrXZGItFi6DR5l8n_8ybgs/edit#bookmark=id.bg7ds8878foi) are available.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1321

Received on Wednesday, 6 October 2021 19:29:59 UTC