-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unclear on cross-origin interaction & header lifetime #68
Comments
Headers are not limited to same origin, and adding an opt-in specific per origin would add complexity and burden users (and may not be practical for some of the use-cases). I agree with you that for CORS enabled requests this will create an issue due to the current definition of "simple request". I think that definition needs to be updated to include headers that the browser normally sends such as "DPR", "Width", "Viewport-Width", "Save-Data", "Downlink", "Beacon-Age", "Upgrade-Insecure-Request", etc. IMO sending these headers without preflight won't increase any risk of triggering unwanted behavior in internal servers, as an attacker can already send a request for a non-CORS enabled resource (e.g. image) to such servers, which would include these headers. P.S. I must be missing something in current definition you linked to, but my reading of it is that no request today is a simple request (as requests regularly contains headers such as |
If adding those isn't a security issue, then yeah that's another solution. The scope of "subsequent requests" still needs to be defined though, in terms of lifetime and the types of requests effected.
https://fetch.spec.whatwg.org/#http-fetch - the header check happens in step 4.1, but the host header isn't added until part of 4.4. |
Oh, cool, so this is what I was missing. Alternatively, we could also add all those browser-generated headers at that point as well. |
If:
…the header must be put on the simple list. Otherwise it can be set at the same time as the Or to put it another way, if I pull a request out of the cache API, should I be able to see a |
Right, I believe the right solution here is to add the necessary CH headers (DPR, Width, Viewport-Width, Save-Data) to the "simple list": https://fetch.spec.whatwg.org/#simple-header |
I think this comes down to several issues:
Maybe there's more? |
I believe so. You can see Content-Type, etc, correct? You should be able to see the DPR + Content-DPR headers, as that may affect how you store and process the response.
Interesting question.. I guess original? The reason I say that is because while we could update the
Yes, we went through a security review prior to shipping it in Chrome.
Yes.
They're set when the image request is created by relevant element -- e.g. img/srcset/etc. |
Did the security team review this too? That seems like a pretty drastic change from before. |
Sorry, meant to say Accept.
Yes. Note that CH opt-in applies to all subresources and origins on the page, and not just for own origin. I would expect that hint values should be accessible from within SW, both to inspect and to modify. |
That is different from being able to set the header to any value though. Are you saying Chrome has already modified its CORS implementation and forgot to file an issue? Seems doubtful. |
No, at the moment |
So, I'm confused on what our options are here..
|
Options are:
1 sounds like the safest option, but may be lacking due to lack of visibility in a service worker. If we went from 1 & later moved to 2 or 3… that could be a non-breaking change. |
(1) is a non-starter: it's counter what we've already shipped in Chrome; it breaks important developer use cases for CH; it breaks caching. What is the argument for disallowing developers from setting CH header values - i.e. treating them as simple headers? |
I don't understand. Are you asking about 2 or 3? The problem with 3 might be that servers do not anticipate hostile values in these headers since to date only user agents were able to generate them. |
Migrating issues to HTTP-WG repo. Let's continue this at httpwg/http-extensions#141. |
http://igrigorik.github.io/http-client-hints/#advertising-support-for-client-hints
What does "all subsequent requests" mean in this context? Here's my guess:
"subsequent requests with this client, to the same origin as client, with destination 'subresource' " - this seems to make the most sense to me. Without the same-origin restriction, the new headers will trigger CORS preflight requests because they aren't simple. Servers such as Google Fonts don't support preflights.
You probably want a way to opt into client hints for additional origins too. Eg:
The text was updated successfully, but these errors were encountered: