W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Reports feature violates the same-origin policy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 15 Feb 2017 19:00:16 +0100
Message-ID: <CADnb78gLF+8+Jrs3tJ-=cWheK9BP1BdXYwt8fQ2g45BnLMV6ew@mail.gmail.com>
To: Mike West <mike@mikewest.org>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 15, 2017 at 5:56 PM, Mike West <mike@mikewest.org> wrote:
> I agree with your analysis about this course of action. Given that it seems
> like a bad idea, what would you suggest that we do?

1. I think we should add evaluating any new fetches to
https://w3ctag.github.io/security-questionnaire/. Ideally we forbid
new "no-cors" fetches (I thought that was Chrome's policy per the
<script type=module> thread, but I guess the security team is not
super consistent).

2. We should document the exceptions in Fetch so that servers know
what to expect.

Received on Wednesday, 15 February 2017 18:00:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:59 UTC