- From: Noam Rosenthal <notifications@github.com>
- Date: Wed, 29 Jan 2025 01:10:31 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1806/review/2580396179@github.com>
@noamr commented on this pull request. > + +<h4 id=fetch-elsewhere-no-cors>No-CORS requests</h4> + +<p>Embedding cross-origin resources, without the ability to read them, existed prior to CORS. +Cross-origin images, scripts, stylesheets & media are embeddable in a <a for=/>document</a> without +the embedding <a for=/>origin</a> identifying themselves and receive explicit confirmation. + +<p>To maintain backwards compatibility, this form of fetching is still supported. Instead of +restricting the network access, the embedder is restricted in what they are allowed to do with the +<a for=/>response</a>. They can embed it in their document and present it to the user, but this has +to be done in a way that's opaque to the embedding origin. Only the user should have access to the +resource, not the embedder. + +<p>This mechanism of fetching should not be used in new specs. However, specs should be written with +the notion that no-CORS resources exists, and the new spec should not grant origins the ability to +read their contents. Reworded a bit, WDYT? > +<p>In a nutshell, when a user accesses a certain origin using their browser or other user agent, +they don't expect that the user agent implicitly grants that <a for=/>origin</a> full access to +their network, which could, for example, be an intranet, despite the user agent itself having that +access. Done > +<p>The main way to access cross-origin data is via the <a>cors protocol</a>, described in detail in +this standard. CORS (Cross Origin Resource Sharing) is built on the principle that origins that want Done > +<p>Due to the leaky nature of no-CORS requests, resources can further protect themselves by +providing a `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header (CORP). By Done > +<p>Instead, the embedder must use +<a data-lt="cross-origin isolated capability">cross-origin isolation</a>, using the +`<a http-header><code>Cross-Origin-Embedder-Policy</code></a>` header to restrict embedding of +cross-origin resources only to resources that explicitly allow this. + +<p>Note that CORP and cross-origin isolation are not designed to be a "lighter version of CORS". +Their purpose is to restrict embedding of existing resources that are normally embeddable without +CORS, in order to enable safe usage of powerful platform features. + +<p>Other specifications should consider requiring CORP if they expose a powerful platform feature, +regardless of whether they themselves invoke <a for=/>fetch</a>. + +<h4 id=fetch-elsewhere-TAO>Accessing timing information (TAO)</h4> + +<p>Beside the protections for the resource's data itself, the Fetch standard enforces restrictions +on accessing timing information associated with the <a for=/>fetch</a>. This timing information Added something -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1806#discussion_r1933503895 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1806/review/2580396179@github.com>
Received on Wednesday, 29 January 2025 09:10:35 UTC