- From: Yoav Weiss <notifications@github.com>
- Date: Fri, 03 Jun 2022 01:16:10 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1434/review/994604634@github.com>
@yoavweiss commented on this pull request. > @@ -2864,6 +2914,33 @@ run these steps: <li><p>Return <b>allowed</b>. </ol> +<h3 dfn export lt="header size is over cors limit" id=header-size-is-over-cors-limit> +Header size is over CORS limit</h3> + +Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s +(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s +to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. If this +algorithm returns true, the <a>CORS-preflight request</a> must be run. In order for this approach to succeed, servers should +not set a HTTP request <a for=/>header</a>s size limit below 8KB. + +<p>Run these steps on the provided <var>request</var>: I guess that works, although I have a slight preference for algorithms that are defined outside of the header, and where their name defines an action. e.g. I'd name the algorithm as `<dfn>check if header size is over CORS limits</dfn>`, replace the "run these steps" sentence with `To <a>check if header size is over CORS limits</a> with <a>Request</a> <var>request</var> as input, run the following steps`, etc. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1434#discussion_r888726700 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1434/review/994604634@github.com>
Received on Friday, 3 June 2022 08:16:22 UTC