W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

[MIX] Consider all CORS requests "active"

From: Jake Archibald <jaffathecake@gmail.com>
Date: Thu, 10 Jul 2014 12:08:35 +0100
Message-ID: <CAJ5xic_-CnWLOvFPLdqKNev7UtECSYqMMj+Wnxvxiryo=UHBmQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
http://w3c.github.io/webappsec/specs/mixedcontent/#requirements-script

Currently, XHR & EventSource specifically fail when requesting insecure
content. This could be replaced with a general rule that CORS checks to
HTTP always fail. This also covers usually passive content that becomes
active via CORS, eg <img crossorigin>.

This means font requests to http would also fail, they could be given an
exception if needed.

In ServiceWorker, this means:

importScripts('http://...'); - fails
fetch('http://...'); - fails
cache.add('http://...'); - fails

…as they're all CORS dependant.

fetch('http://...', {mode: 'no-cors'});
cache.add(new Request('http://...', {mode: 'no-cors'}));

…these will give back a tainted response. Usual rules can apply if they're
used to satisfy requests to <script>, <img> etc.
Received on Thursday, 10 July 2014 11:09:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC