- From: Robert Flack <notifications@github.com>
- Date: Mon, 01 May 2023 06:59:59 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 1 May 2023 14:00:05 UTC
> > Alternately, could we get most of the benefit without some of the pain by not restricting the main navigation, but only restricting sub-resource requests (explicitly allowing them to the ip:port used for the main navigation)? > > I think the security benefits of this are not that great, since you can perform many attacks just by using a form with POST. However, it might be a good transitional stage to get web developers used the idea of there being an allowlist. What if links and POST requests were only allowed so long as they matched the top-level port? I.e. allow the user to navigate to any port manually but content can only link to other resources served from the same port or allow listed ports? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1189#issuecomment-1529738373 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1189/1529738373@github.com>
Received on Monday, 1 May 2023 14:00:05 UTC