- From: jub0bs <notifications@github.com>
- Date: Wed, 20 Sep 2023 05:58:13 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1588/1727676834@github.com>
> The tradeoff here is that you end up giving more information to potential attackers. That's true, but I wonder two things: 1. Would such information be valuable to an attacker? 2. Could an attacker not glean this information through dynamic analysis of the CORS-aware resource anyway? In fact, if we assume that both 1. and 2. are true, typical CORS implementations (as described in [the OP](https://github.com/whatwg/fetch/issues/1588#issue-1526130185)) do encourage attackers to perform such dynamic analysis, which may place undue load on the server. > [...] perhaps attackers can also learn something from the amount of time it takes to grant or deny access to a particular request. Just to be clear, are you referring here purely to the _CORS-specific part_ of handling the _actual_ request, i.e. the logic in charge of checking whether the request's origin is allowed? If that's what you referring to, your warning in this regard still stands: > Be aware that any work the server performs might nonetheless leak through side channels, such as timing. But I don't see why this consideration should prevent us from pursuing the idea that servers follow the steps of the CORS-preflight fetch algorithm, so as to ease troubleshooting of CORS issues on the client side. Perhaps a concrete/realistic attack scenario (it one exists) would clarify the issue. Can you think of one? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1588#issuecomment-1727676834 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1588/1727676834@github.com>
Received on Wednesday, 20 September 2023 12:58:18 UTC