- From: Yoav Weiss <notifications@github.com>
- Date: Tue, 28 Jun 2022 13:34:37 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1434/review/1022357681@github.com>
@yoavweiss approved this pull request. Non-authoritative LGTM % comments > @@ -2864,6 +2914,33 @@ run these steps: <li><p>Return <b>allowed</b>. </ol> +<h3 dfn export lt="is a cors requests header size over the limit" id=is-a-cors-requests-header-size-over-the-limit> +Is a CORS request's header size over the limit?</h3> + +Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s +(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s +to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. If this s/cross-site/cross-origin/? > <a for=request>method</a> is not a <a>CORS-safelisted method</a> or <var>request</var>'s <a>use-CORS-preflight flag</a> is set. - <li>There is at least one <a for=list>item</a> in the <a>CORS-unsafe request-header names</a> - with <var>request</var>'s <a for=request>header list</a> for which there is no - <a>header-name cache entry match</a> using <var>request</var>. + <li><var>makeCORSPreflight</var> is true and there is at least one <a for=list>item</a> in the + <a>CORS-unsafe request-header names</a> with <var>request</var>'s <a for=request>header list</a> + for which there is no <a>header-name cache entry match</a> using <var>request</var>. + + <li><a>The header size is over the CORS limits</a> for <var>request</var>. I prefer this to be an explicit call, e.g. "the header size is over CORS limits given request returns true" -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1434#pullrequestreview-1022357681 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1434/review/1022357681@github.com>
Received on Tuesday, 28 June 2022 20:34:50 UTC