Re: [whatwg/fetch] Define opaque-response blocking (updated) (PR #1755)

@zcorpan commented on this pull request.



> +
+<div class=note>
+ <p>Opaque-response blocking, also known as <abbr>ORB</abbr>, is a network filter that blocks access
+ to <a>opaque filtered responses</a>. These responses would likely would not have been useful to the
+ fetching party. Blocking them reduces information leakage to potential attackers.
+
+ <p>Essentially, CSS, JavaScript, images, and media (audio and video) can be requested across
+ origins without the <a>CORS protocol</a>. And unfortunately except for CSS there is no MIME type
+ enforcement. This algorithm aims to block as many responses as possible that are not one of these
+ types (or are newer variants of those types) to avoid leaking their contents through side channels.
+
+ <p>The network filter combines pro-active blocking based on response headers, sniffing a limited
+ set of bytes, and ultimately falls back to a full parse due to unfortunate (lack of) design
+ decisions in the early days of the web platform. As a result there are still quite a few responses
+ whose secrets can end up being revealed to attackers. Web developers are strongly encouraged to use
+ the `<code http-header>Cross-Origin-Resource-Policy</code>` response header to defend them.

The `http-header` attribute seems to cause a build error. Try `dfn-type=http-header`

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1755#pullrequestreview-2115166104
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1755/review/2115166104@github.com>

Received on Thursday, 13 June 2024 08:45:10 UTC