Re: [whatwg/fetch] Allow Origin and Access-Control-Allow-Origin to have multiple values (Issue #1790) from Arul Thileeban Sagayam on 2024-12-14 (public-webapps-github@w3.org from December 2024)

From: Arul Thileeban Sagayam <notifications@github.com>
Date: Sat, 14 Dec 2024 13:17:08 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1790/2543347083@github.com>

I reached out to Brad and he provided some relevant references to this discussion:

- https://lists.w3.org/Archives/Public/public-webappsec/2017May/0012.html
- https://issues.chromium.org/issues/40081583

Further, I dug into the browsers' code history to see if there was anything there:

- Firefox's [change](https://bugzilla.mozilla.org/show_bug.cgi?id=814141 ) occurred after the Fetch Spec change https://github.com/whatwg/fetch/commit/713ddadc85c4ad8181e2e8ba733d9293d0e51cfc. Prior to that change, their Origin [documentation](https://wiki.mozilla.org/Security/Origin#Selection_of_%22null%22_token) linked in the report which triggered your spec change was not aligned with their implementation. 
-  Chromium's change was reported as a bug and patched after most browsers had adopted this behavior. 
- Webkit's [change](https://github.com/WebKit/WebKit/commit/c06f70adc63c) came from this [bug](https://auto-bugs.webkit.org/show_bug.cgi?format=multiple&id=144817), which I don't have access to. A duplicate of that [bug](https://auto-bugs.webkit.org/show_bug.cgi?format=multiple&id=144817) has some answers for us:
> RFC6454 allows this header to be multi-valued on redirects, but CORS (http://w3.org/TR/cors) implicitly requires it to be single-valued (because it specifies an exact string match comparison)

At that point, CORS spec seems to rely on HTML5 for definition of Origin, which defines it implicitly as single valued. Piecing it together with the Firefox Origin documentation clarifies why they could have arrived at "null" for that single value.  

Just by reading between the lines, it doesn't seem like there was a coordinated pathway to this convergence. Instead it looks like it was driven by implementers not using multiple origins for redirects causing the vulnerability you referenced, and variations between different specifications at that point. 


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1790#issuecomment-2543347083
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1790/2543347083@github.com>

Received on Saturday, 14 December 2024 21:17:12 UTC