[whatwg/fetch] Specify exception to redirect-tainting: Upgrade-Insecure-Requests (UIR) and HSTS scheme upgrades (Issue #1551) from Rob Wu on 2022-11-26 (public-webapps-github@w3.org from November 2022)

From: Rob Wu <notifications@github.com>
Date: Sat, 26 Nov 2022 08:37:56 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1551@github.com>

*Originally filed at https://github.com/w3c/webappsec-upgrade-insecure-requests/issues/32*


UIR (and HSTS) are commonly implemented as an internal redirect from http to https (at least in Firefox and Chrome, AFAIK). This has implications for CORS, and the last thread I found on this was unresolved (https://github.com/whatwg/fetch/issues/324).

A central concept in CORS is "Origin", visible as a request header, defined at https://fetch.spec.whatwg.org/#serializing-a-request-origin as:

> Serializing a request origin, given a [request](https://fetch.spec.whatwg.org/#concept-request) *request*, is to run these steps:
>
> 1. If *request* has a [redirect-tainted origin](https://fetch.spec.whatwg.org/#concept-request-tainted-origin), then return "null".
> 2. Return *request*’s [origin](https://fetch.spec.whatwg.org/#concept-request-origin), [serialized](https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin).

The request is considered to have a "[redirect-tainted origin](https://fetch.spec.whatwg.org/#concept-request-tainted-origin)" when any of the origins in the redirect chain are same-origin.

When UIR is implemented as a redirect, a cross-origin fetch to `http://example.com` is immediately followed by a (cross-origin) redirect to `https://example.com`. According to the above spec, the origin would therefore be `null`.
An argument can however be made for not tainting the Origin when a request is upgraded through UIR/HSTS.

Test case: https://jsfiddle.net/0kq28zgj/1/


In practice, current versions of Chrome (107) and Safari (15.6) send the original Origin.
Firefox (108) currently sends `Origin: null`, but internally uses the original Origin (and breaks CORS when the server mirrors `Origin` in `Access-Control-Allow-Origin`). I believe that this is a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1800990), so once fixed, it looks like all major browsers will treat UIR/HSTS/extension-initiated scheme upgrades as a non-tainting redirect.

In short: it looks the the major browsers are (or will be) consistently not converting the Origin to null after a scheme upgrade, and it would be useful to update the specification to codify this.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1551

You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1551@github.com>

Received on Saturday, 26 November 2022 16:38:08 UTC