- From: Matt Menke <notifications@github.com>
- Date: Tue, 14 Sep 2021 05:33:32 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 14 September 2021 12:33:45 UTC
The reason for additional keys is to protect spying across cross-site frames in the same tab, which is much more a security issue than a privacy one. Sites can coordinate to provide each other this information, if they want, but extracting it from other sites without their cooperation is a cross-site attack. For the record, Chrome's solution is to use iframe site and an additional bit set for iframes - so an attacker can potentially figure out what's loaded in other frames / what other frames navigate to, but not what they're doing internally. The potential issues with Chrome's scheme are around performance (If https://a.com loads https://b.com resources, which then populate an https://b.com iframe, we'd need a new set of https://b.com connections for the iframe), resource exhaustion, and potentially making certain resource exhaustion attacks marginally easier (e.g, can max out the socket pools with fewer domains). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1035#issuecomment-919106021
Received on Tuesday, 14 September 2021 12:33:45 UTC