Re: [whatwg/fetch] Prevent cross-origin sensitive header probing (PR #1434)

@yoavweiss approved this pull request.

Non-authoritative LGTM % comments

> @@ -2864,6 +2914,33 @@ run these steps:
  <li><p>Return <b>allowed</b>.
 </ol>
 
+<h3 dfn export lt="is a cors requests header size over the limit" id=is-a-cors-requests-header-size-over-the-limit>
+Is a CORS request's header size over the limit?</h3>
+
+Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s
+(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s
+to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. If this

s/cross-site/cross-origin/?

>       <a for=request>method</a> is not a <a>CORS-safelisted method</a> or <var>request</var>'s
      <a>use-CORS-preflight flag</a> is set.
 
-     <li>There is at least one <a for=list>item</a> in the <a>CORS-unsafe request-header names</a>
-     with <var>request</var>'s <a for=request>header list</a> for which there is no
-     <a>header-name cache entry match</a> using <var>request</var>.
+     <li><var>makeCORSPreflight</var> is true and there is at least one <a for=list>item</a> in the
+     <a>CORS-unsafe request-header names</a> with <var>request</var>'s <a for=request>header list</a>
+     for which there is no <a>header-name cache entry match</a> using <var>request</var>.
+     
+     <li><a>The header size is over the CORS limits</a> for <var>request</var>.

I prefer this to be an explicit call, e.g. "the header size is over CORS limits given request returns true"

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1434#pullrequestreview-1022357681
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1434/review/1022357681@github.com>