-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please clarify how the location could leak in example 3 (about shortlinks) #87
Comments
Well, the design of cc @arturjanc |
I think Chromium is handling this correctly today. It was certainly not handling this correctly when I wrote it a while back (we piped redirects back to the renderer to handle Regardless, the example could probably be reformulated to make a different point: handle CORS for the preflight, but don't enable CORS access for the resource itself. That would likely enable origins to use |
@mikewest does Chrome actually remove the |
@annevk: You mean something like |
Yeah, and also just |
FWIW in our original internal Spectre-related remediation we assumed that a response to a known URL with a |
Hey @jub0bs, are you still interested in sending a PR for this? |
@letitz Yes! Sorry, I forgot about this. I'll see what I can do this weekend. |
No worries, and thanks for contributing :) |
Example 3 reads like this:
I'm not sure I understand how the location could leak, even if the ACAO header was present on the response to the actual (preflighted) request... Since
Location
is not a CORS-safelisted response-header name, client code would only be able to read the value of that header if the response listed the header name in question in itsAccess-Control-Expose-Headers
header.Am I missing something?
The text was updated successfully, but these errors were encountered: