W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

[MIX] Consider all CORS requests "active"

From: Jake Archibald <jaffathecake@gmail.com>
Date: Thu, 10 Jul 2014 12:08:35 +0100
Message-ID: <CAJ5xic_-CnWLOvFPLdqKNev7UtECSYqMMj+Wnxvxiryo=UHBmQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>

Currently, XHR & EventSource specifically fail when requesting insecure
content. This could be replaced with a general rule that CORS checks to
HTTP always fail. This also covers usually passive content that becomes
active via CORS, eg <img crossorigin>.

This means font requests to http would also fail, they could be given an
exception if needed.

In ServiceWorker, this means:

importScripts('http://...'); - fails
fetch('http://...'); - fails
cache.add('http://...'); - fails

…as they're all CORS dependant.

fetch('http://...', {mode: 'no-cors'});
cache.add(new Request('http://...', {mode: 'no-cors'}));

…these will give back a tainted response. Usual rules can apply if they're
used to satisfy requests to <script>, <img> etc.
Received on Thursday, 10 July 2014 11:09:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC