- From: Noam Rosenthal <notifications@github.com>
- Date: Mon, 05 Sep 2022 06:24:11 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 5 September 2022 13:24:24 UTC
Redirect tainting is what changes the origin into "null" when there are cross-origin redirects. It makes sense in places where we deal with credentials & data, mainly to protect against [confused deputy](https://en.wikipedia.org/wiki/Confused_deputy_problem). However, when timing are involved, the confused deputy attack is meaningless. All this does is make it so that an origin cannot read its own timing without `TAO`. Since an origin knows its own timing anyway in the server, this protection is mainly a nuisance. Perhaps there's a valid reason for it that I don't see, and perhaps we want to be careful about removing protections, but in either case it would be nice to spell out what this protects again in some informative note. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1484 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1484@github.com>
Received on Monday, 5 September 2022 13:24:24 UTC