Re: [whatwg/fetch] Allow Origin and Access-Control-Allow-Origin to have multiple values (Issue #1790) from Anne van Kesteren on 2024-12-13 (public-webapps-github@w3.org from December 2024)

From: Anne van Kesteren <notifications@github.com>
Date: Thu, 12 Dec 2024 22:26:57 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1790/2540646409@github.com>

I suspect so.

Now in 2009 I had actually written up things as a space-separated list and Adam Barth followed that in the IETF draft: https://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1267.html.

However, I undid this here because implementations were not emitting a list: https://github.com/whatwg/fetch/commit/713ddadc85c4ad8181e2e8ba733d9293d0e51cfc.

One of the URLs referenced there has this quote from Brad Hill:

> This is necessary to prevent reflection vulnerabilities in which the target of an XHR causes a redirect back to the origin making the request.

So that's a case of A making a request to B which redirects to A. Today that gives `Origin: null` to the final A. Historically that would have given `Origin: A B`. Either way that seems sufficient to me security-wise. If we do anything here we probably have to better understand why there was a convergence on null to begin with.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1790#issuecomment-2540646409
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1790/2540646409@github.com>

Received on Friday, 13 December 2024 06:27:01 UTC