(How) should we mitigate error code exploits? #70
Labels
security-tracker
Group bringing to attention of security, or tracked by the security Group but not needing response.
Comments
|
CC @alvestrand who I believe already did some port filtering for similar problems |
|
Do we do this for 401 in fetch/XHR? Seems like it reduces debugging ability and may not be all that effective. Generally, we should understand the threat model here before trying to come up with a solution. |
|
Closing. We should reopen if we have a specific concern. |
|
I've made the subject more specific and reopened it. |
dontcallmedom
added
the
security-tracker
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As pointed out here, error codes that help distinguish between "wrong credentials" and generic network error might help an attacker for example brute-forcing credentials.
pc.onicecandidateerror is an example of this.
What should we do?
The text was updated successfully, but these errors were encountered: