- From: jub0bs <notifications@github.com>
- Date: Wed, 20 Sep 2023 07:38:53 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 20 September 2023 14:38:58 UTC
1 My main question is whether the information thus revealed (not even considering timing attacks indeed) would be pertinent to an attacker. Only if the answer is "yes" should we worry about dynamic analysis getting detected/blocked, don't you think? 2 Do you have specific example in mind that would clearly weigh against the stronger normative server requirements that I suggested above? Besides, you have to balance the ramifications of leaking such information against ease of troubleshooting. How many CORS misconfigurations with serious security consequences can be ascribed to the difficulty in troubleshooting CORS issues on the client side, due to CORS middleware hiding precious context from the browser? In my experience, server developers on a deadline and at a loss to resolve a hard-to-debug CORS issue will sooner void the SOP's restrictions on network access (e.g. by allowing access from all origins with credentials) than get to the root cause of their CORS issue. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1588#issuecomment-1727865152 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1588/1727865152@github.com>
Received on Wednesday, 20 September 2023 14:38:58 UTC