Re: [whatwg/fetch] Prevent cross-origin sensitive header probing (PR #1434)

@yoavweiss commented on this pull request.

I think it'd be good to discuss the overall approach, before diving into the details (which need some work):
* What headers do we want to limit? All `Sec-` headers? More?
* What size do we want to limit them to? IIUC from the issue comments we want them to share the limit with Referer. Is that correct?
* What request modes and credentials modes are impacted?
* What happens if the limits are passed? Do we want to preflight? kill the request? Drop some headers?

> @@ -2864,6 +2864,73 @@ run these steps:
  <li><p>Return <b>allowed</b>.
 </ol>
 
+<h3 dfn export lt="prevent sensitive header size probing" id=prevent-sensitive-header-size-probing> Prevent sensitive header
+size probing</h3>
+
+Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s
+(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s
+to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. In order
+for this approach to succeed, servers should not set a HTTP request <a for=/>header</a>s size limit below 8KB.
+
+<p>Run these steps:

Here you need to define an algorithm that can be called from somewhere. e.g. `To <dfn>sanitize header size</dfn>, given a <a for="/">request</a> <var>request</var>, run these steps:`

> @@ -2864,6 +2864,73 @@ run these steps:
  <li><p>Return <b>allowed</b>.
 </ol>
 
+<h3 dfn export lt="prevent sensitive header size probing" id=prevent-sensitive-header-size-probing> Prevent sensitive header
+size probing</h3>
+
+Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s
+(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s
+to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. In order
+for this approach to succeed, servers should not set a HTTP request <a for=/>header</a>s size limit below 8KB.
+
+<p>Run these steps:
+
+<ol>
+ <li><p>If the request isn't cross-origin, return.

Here you need to define what this means: which request you're referring to, and cross-origin to what.

`If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, return`

> @@ -2864,6 +2864,73 @@ run these steps:
  <li><p>Return <b>allowed</b>.
 </ol>
 
+<h3 dfn export lt="prevent sensitive header size probing" id=prevent-sensitive-header-size-probing> Prevent sensitive header
+size probing</h3>
+
+Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s
+(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s
+to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. In order
+for this approach to succeed, servers should not set a HTTP request <a for=/>header</a>s size limit below 8KB.
+
+<p>Run these steps:
+
+<ol>
+ <li><p>If the request isn't cross-origin, return.
+
+ <li><p>Let <var>sensitiveHeaderList</var> be the result of filtering <a for=response>header list</a> to include only

I don't think "filtering" is a defined concept. You probably want to define a specific algorithm that operates on a [list](https://infra.spec.whatwg.org/#lists) of headers (that you need to provide as input) and outputs the values you want

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1434#pullrequestreview-977836006
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1434/review/977836006@github.com>

Received on Thursday, 19 May 2022 02:43:53 UTC