Fix #171: main fetch: clarify internal responses and network errors

Basically account for network errors a whole lot more and set the internalResponse variable together with the response variable to a network error to avoid leakage later on. Also mention that using the internalResponse variable for subresource integrity gives the attacker an oracle.
whatwg · Jan 8, 2016 · 200e745 · 200e745
1 parent 75bad7c
commit 200e745
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 37 deletions.
diff --git a/Overview.html b/Overview.html
@@ -7,7 +7,7 @@
 
 <p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
 <h1 id="cors">Fetch</h1>
-<h2 class="no-num no-toc" id="living-standard-—-last-updated-5-january-2016">Living Standard — Last Updated 5 January 2016</h2>
+<h2 class="no-num no-toc" id="living-standard-—-last-updated-8-january-2016">Living Standard — Last Updated 8 January 2016</h2>
 
 <dl>
  <dt>Participate:
@@ -1860,34 +1860,34 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
    <dd><a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a>
   </dl>
 
- <li><p>Let <var>internalResponse</var> be <var>response</var>'s
- <a href="#concept-internal-response" title="concept-internal-response">internal response</a>.
+ <li><p>Let <var>internalResponse</var> be <var>response</var>, if <var>response</var> is a
+ <a href="#concept-network-error" title="concept-network-error">network error</a>, and <var>response</var>'s
+ <a href="#concept-internal-response" title="concept-internal-response">internal response</a> otherwise.
 
- <li><p>If
- <a href="https://w3c.github.io/webappsec-mixed-content/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>,
+ <li><p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
+ one of <a href="https://w3c.github.io/webappsec-mixed-content/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>,
  <a href="https://w3c.github.io/webappsec-csp/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked by Content Security Policy</a>,
- or
+ and
  <a href="#should-response-to-request-be-blocked-due-to-nosniff?" title="should response to request be blocked due to nosniff">should <var>internalResponse</var> to <var>request</var> be blocked due to nosniff</a>
- returns <b title="">blocked</b>, set <var>response</var> to a
+ returns <b title="">blocked</b>, set <var>response</var> and <var>internalResponse</var> to a
  <a href="#concept-network-error" title="concept-network-error">network error</a>.
  <a href="#refsMIX">[MIX]</a>
  <a href="#refsCSP">[CSP]</a>
 
  <li>
-  <p>If <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a>
-  is `<code title="">HEAD</code>` or `<code title="">CONNECT</code>`, or
-  <var>internalResponse</var>'s
+  <p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
+  either <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is
+  `<code title="">HEAD</code>` or `<code title="">CONNECT</code>`, or <var>internalResponse</var>'s
   <a href="#concept-response-status" title="concept-response-status">status</a> is a <a href="#null-body-status">null body status</a>,
   set <var>internalResponse</var>'s <a href="#concept-response-body" title="concept-response-body">body</a> to
   null and disregard any pushing toward it (if any).
 
   <p class="note">This standardizes the error handling for servers that violate HTTP.
 
  <li>
-  <p>If <var>request</var>'s
-  <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a> is not
-  the empty string and <var>response</var> is not a
-  <a href="#concept-network-error" title="concept-network-error">network error</a>, run these substeps:
+  <p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
+  <var>request</var>'s <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a> is
+  not the empty string, run these substeps:
 
   <ol>
    <li><p><a href="#wait-for-a-response" title="Wait for a response">Wait for <var>response</var></a>.
@@ -1896,15 +1896,14 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
    <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination reason</a> and
    <var>response</var> does not
    <a href="https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist">match</a>
-   <var>request</var>'s
-   <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a>, set
-   <var>response</var> to a
+   <var>request</var>'s <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a>,
+   set <var>response</var> and <var>internalResponse</var> to a
    <a href="#concept-network-error" title="concept-network-error">network error</a>.
    <a href="#refsSRI">[SRI]</a>
   </ol>
 
-  <p class="note">This operates on <var>response</var> as this algorithm is not
-  supposed to observe <var>internalResponse</var>.
+  <p class="note">This operates on <var>response</var> as this algorithm is not supposed to observe
+  <var>internalResponse</var>. That would allow an attacker to use hashes as an oracle.
 
  <li>
   <p>If <var>request</var>'s <a href="#synchronous-flag">synchronous flag</a> is set,

diff --git a/Overview.src.html b/Overview.src.html
@@ -1799,34 +1799,34 @@ <h3>Main fetch</h3>
    <dd><span title=concept-filtered-response-opaque>opaque filtered response</span>
   </dl>
 
- <li><p>Let <var>internalResponse</var> be <var>response</var>'s
- <span title=concept-internal-response>internal response</span>.
+ <li><p>Let <var>internalResponse</var> be <var>response</var>, if <var>response</var> is a
+ <span title=concept-network-error>network error</span>, and <var>response</var>'s
+ <span title=concept-internal-response>internal response</span> otherwise.
 
- <li><p>If
- <a href=https://w3c.github.io/webappsec-mixed-content/#should-block-response>should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>,
+ <li><p>If <var>response</var> is not a <span title=concept-network-error>network error</span> and
+ one of <a href=https://w3c.github.io/webappsec-mixed-content/#should-block-response>should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>,
  <a href=https://w3c.github.io/webappsec-csp/#should-block-response>should <var>internalResponse</var> to <var>request</var> be blocked by Content Security Policy</a>,
- or
+ and
  <span title="should response to request be blocked due to nosniff">should <var>internalResponse</var> to <var>request</var> be blocked due to nosniff</span>
- returns <b title>blocked</b>, set <var>response</var> to a
+ returns <b title>blocked</b>, set <var>response</var> and <var>internalResponse</var> to a
  <span title=concept-network-error>network error</span>.
  <span data-anolis-ref>MIX</span>
  <span data-anolis-ref>CSP</span>
 
  <li>
-  <p>If <var>request</var>'s <span title=concept-request-method>method</span>
-  is `<code title>HEAD</code>` or `<code title>CONNECT</code>`, or
-  <var>internalResponse</var>'s
+  <p>If <var>response</var> is not a <span title=concept-network-error>network error</span> and
+  either <var>request</var>'s <span title=concept-request-method>method</span> is
+  `<code title>HEAD</code>` or `<code title>CONNECT</code>`, or <var>internalResponse</var>'s
   <span title=concept-response-status>status</span> is a <span>null body status</span>,
   set <var>internalResponse</var>'s <span title=concept-response-body>body</span> to
   null and disregard any pushing toward it (if any).
 
   <p class=note>This standardizes the error handling for servers that violate HTTP.
 
  <li>
-  <p>If <var>request</var>'s
-  <span title=concept-request-integrity-metadata>integrity metadata</span> is not
-  the empty string and <var>response</var> is not a
-  <span title=concept-network-error>network error</span>, run these substeps:
+  <p>If <var>response</var> is not a <span title=concept-network-error>network error</span> and
+  <var>request</var>'s <span title=concept-request-integrity-metadata>integrity metadata</span> is
+  not the empty string, run these substeps:
 
   <ol>
    <li><p><span title="Wait for a response">Wait for <var>response</var></span>.
@@ -1835,15 +1835,14 @@ <h3>Main fetch</h3>
    <span title=concept-response-termination-reason>termination reason</span> and
    <var>response</var> does not
    <a href=https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist>match</a>
-   <var>request</var>'s
-   <span title=concept-request-integrity-metadata>integrity metadata</span>, set
-   <var>response</var> to a
+   <var>request</var>'s <span title=concept-request-integrity-metadata>integrity metadata</span>,
+   set <var>response</var> and <var>internalResponse</var> to a
    <span title=concept-network-error>network error</span>.
    <span data-anolis-ref>SRI</span>
   </ol>
 
-  <p class=note>This operates on <var>response</var> as this algorithm is not
-  supposed to observe <var>internalResponse</var>.
+  <p class=note>This operates on <var>response</var> as this algorithm is not supposed to observe
+  <var>internalResponse</var>. That would allow an attacker to use hashes as an oracle.
 
  <li>
   <p>If <var>request</var>'s <span>synchronous flag</span> is set,