- From: Simon Pieters <notifications@github.com>
- Date: Thu, 13 Jun 2024 01:45:06 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1755/review/2115166104@github.com>
@zcorpan commented on this pull request. > + +<div class=note> + <p>Opaque-response blocking, also known as <abbr>ORB</abbr>, is a network filter that blocks access + to <a>opaque filtered responses</a>. These responses would likely would not have been useful to the + fetching party. Blocking them reduces information leakage to potential attackers. + + <p>Essentially, CSS, JavaScript, images, and media (audio and video) can be requested across + origins without the <a>CORS protocol</a>. And unfortunately except for CSS there is no MIME type + enforcement. This algorithm aims to block as many responses as possible that are not one of these + types (or are newer variants of those types) to avoid leaking their contents through side channels. + + <p>The network filter combines pro-active blocking based on response headers, sniffing a limited + set of bytes, and ultimately falls back to a full parse due to unfortunate (lack of) design + decisions in the early days of the web platform. As a result there are still quite a few responses + whose secrets can end up being revealed to attackers. Web developers are strongly encouraged to use + the `<code http-header>Cross-Origin-Resource-Policy</code>` response header to defend them. The `http-header` attribute seems to cause a build error. Try `dfn-type=http-header` -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1755#pullrequestreview-2115166104 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1755/review/2115166104@github.com>
Received on Thursday, 13 June 2024 08:45:10 UTC