Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request's tainted origin flag fallout #756

Closed
annevk opened this issue Jun 6, 2018 · 1 comment
Closed

Request's tainted origin flag fallout #756

annevk opened this issue Jun 6, 2018 · 1 comment
Labels
security/privacy There are security or privacy implications topic: cors

Comments

@annevk
Copy link
Member

annevk commented Jun 6, 2018

@yutakahirano noticed one more place that relied request's origin becoming an opaque origin: step 5 of main fetch.

I incorrectly assumed this wouldn't be a problem due to the CORS flag, but the CORS flag is not set if the initial request was same-origin.

I think making the first conditional of step 5 instead read

request's current url's origin is same origin with request's origin, CORS flag is unset, and either request's tainted origin flag is unset or request's mode is not "cors"

would fix this.

This is somewhat related to #737.
@annevk annevk mentioned this issue Jun 6, 2018
Merged
@annevk annevk added the security/privacy There are security or privacy implications label Jun 6, 2018
annevk added a commit that referenced this issue Nov 16, 2018
@annevk
Take tainted origin flag into account for the same origin check
dca2295 
This also addresses #737 in that now A -> B -> A would be considered cross-origin even for "no-cors", but leaving that open for further plumbing in HTML et al to override that in select cases (e.g., <img>).

Fixes #756.
@annevk annevk mentioned this issue Nov 16, 2018
Merged
annevk added a commit that referenced this issue Nov 20, 2018
@annevk
Take tainted origin flag into account for the same origin check
986618a 
This also addresses #737 in that now A -> B -> A would be considered cross-origin even for "no-cors", but leaving that open to discuss whether HTML et al need to override that in select cases (e.g., <img>).

Fixes #756.
@annevk
Copy link
Member Author

annevk commented Nov 20, 2018

Note for future me: the fix in OP wasn't quite correct as a "no-cors" response shouldn't be considered same origin if there is a cross-origin redirect involved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security/privacy There are security or privacy implications topic: cors
Milestone
No milestone
Development

No branches or pull requests
1 participant
@annevk