- From: Yoav Weiss <notifications@github.com>
- Date: Tue, 31 May 2022 08:43:23 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1434/review/990682707@github.com>
@yoavweiss commented on this pull request. > +<a for=/>header list</a> <var>list</var> and <a for=/>header name</a>s <var>includeNames</var>, run these steps: + +<ol> + <li>Let <var>filteredList</var> be an empty <a for=/>header list</a>. + + <li><a for=list>For each</a> (<var>name</var>, <var>value</var>) in <var>list</var>: + + <ol> + <li>If <var>name</var> in <var>includeNames</var> then <a for=list>append</a> (<var>name</var>, <var>value</var>) to <var>filteredList</var>. + </ol> + + <li><p>Return <var>filteredList</var>. +</ol> + +<p>To +<dfn export for="header list" id=concept-header-list-filter-include>filter exclude</dfn> a s/include/exclude/ > +<a for=/>header list</a> <var>list</var> and <a for=/>header name</a>s <var>excludeNames</var>, run these steps: + +<ol> + <li>Let <var>filteredList</var> be an empty <a for=/>header list</a>. + + <li><a for=list>For each</a> (<var>name</var>, <var>value</var>) in <var>list</var>: + + <ol> + <li>If <var>name</var> not in <var>excludeNames</var> then <a for=list>append</a> (<var>name</var>, <var>value</var>) to <var>filteredList</var>. + </ol> + + <li><p>Return <var>filteredList</var>. +</ol> + +<p>To get the +<dfn export for="header list" id=concept-header-list-filter-include>size</dfn> of a id seems off > +Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s +(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s +to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. If this +algorithm returns true, the <a>CORS-preflight request</a> must be run. In order for this approach to succeed, servers should +not set a HTTP request <a for=/>header</a>s size limit below 8KB. + +<p>Run these steps on the provided <var>request</var>: + +<ol> + <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with <var>request</var>'s + <a for=request>current URL</a>'s <a for=url>origin</a>, return `false`. + + <li><p>Let <var>sensitiveHeaderList</var> be the result of running <a for="header list">filter include</a> on <var>request</var>'s + <a for=response>header list</a> with `(<a http-header><code>Authorization</code></a>, <a http-header><code>Cookie</code></a>) as <var>includeNames</var>`. + + <li><p>If the result of running <a for="header list">size</a> on <var>sensitiveHeaderList</var> is greater than 4KB, return `true`. s/running/getting the/ ? > @@ -2864,6 +2914,33 @@ run these steps: <li><p>Return <b>allowed</b>. </ol> +<h3 dfn export lt="header size is over cors limit" id=header-size-is-over-cors-limit> +Header size is over CORS limit</h3> + +Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s +(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s +to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. If this +algorithm returns true, the <a>CORS-preflight request</a> must be run. In order for this approach to succeed, servers should +not set a HTTP request <a for=/>header</a>s size limit below 8KB. + +<p>Run these steps on the provided <var>request</var>: It'd be better to define this as an algorithm and then to call it from somewhere in Fetching before the request is sent. > +<a for=/>header list</a> <var>list</var> and <a for=/>header name</a>s <var>excludeNames</var>, run these steps: + +<ol> + <li>Let <var>filteredList</var> be an empty <a for=/>header list</a>. + + <li><a for=list>For each</a> (<var>name</var>, <var>value</var>) in <var>list</var>: + + <ol> + <li>If <var>name</var> not in <var>excludeNames</var> then <a for=list>append</a> (<var>name</var>, <var>value</var>) to <var>filteredList</var>. + </ol> + + <li><p>Return <var>filteredList</var>. +</ol> + +<p>To get the +<dfn export for="header list" id=concept-header-list-filter-include>size</dfn> of a Also, may be better to have the algorithm dfn be around "get the size" > +Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s +(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s +to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. If this +algorithm returns true, the <a>CORS-preflight request</a> must be run. In order for this approach to succeed, servers should +not set a HTTP request <a for=/>header</a>s size limit below 8KB. + +<p>Run these steps on the provided <var>request</var>: + +<ol> + <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with <var>request</var>'s + <a for=request>current URL</a>'s <a for=url>origin</a>, return `false`. + + <li><p>Let <var>sensitiveHeaderList</var> be the result of running <a for="header list">filter include</a> on <var>request</var>'s + <a for=response>header list</a> with `(<a http-header><code>Authorization</code></a>, <a http-header><code>Cookie</code></a>) as <var>includeNames</var>`. + + <li><p>If the result of running <a for="header list">size</a> on <var>sensitiveHeaderList</var> is greater than 4KB, return `true`. Also, same comment for line 2940 -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1434#pullrequestreview-990682707 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1434/review/990682707@github.com>
Received on Tuesday, 31 May 2022 15:43:35 UTC