Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend Cross-Origin-Resource-Policy to take origin values #760

Open
annevk opened this issue Jun 8, 2018 · 2 comments
Open

Extend Cross-Origin-Resource-Policy to take origin values #760

annevk opened this issue Jun 8, 2018 · 2 comments
Labels
addition/proposal needs concrete proposal security/privacy

Comments

@annevk
Copy link
Member

annevk commented Jun 8, 2018

In #687 there was a strong interest, notably by @arturjanc, to make Cross-Origin-Resource-Policy accept literal origins.

Things to decide:

  • Multiple values or not.
  • Byte-for-byte matching after any splitting if we do multiple values (yes please).

This also means we can no longer fail open. E.g., the tests in web-platform-tests/wpt#11427 would have to be flipped so they expect rejection instead since we do not know that the unrecognized values are not origins.

cc @johnwilander @youennf

@annevk annevk added addition/proposal security/privacy needs concrete proposal labels Jun 8, 2018
annevk added a commit that referenced this issue Jun 8, 2018
This header makes it easier for sites to block unwanted "no-cors"
cross-origin requests.

Tests:

* web-platform-tests/wpt#11171
* web-platform-tests/wpt#11427
* web-platform-tests/wpt#11428

Follow-up: #760.

Fixes #687.
annevk added a commit that referenced this issue Jun 18, 2018
This header makes it easier for sites to block unwanted "no-cors"
cross-origin requests.

Tests:

* web-platform-tests/wpt#11171
* web-platform-tests/wpt#11427
* web-platform-tests/wpt#11428

Follow-up: #760 & #767.

Fixes #687.
@anforowicz
Copy link
Contributor

anforowicz commented Jan 22, 2019

What is the main problem that this issue attempts to solve? Is this mostly about the problem described by @arturjanc in #687 (comment):

The problem with not allowing granular control in From-Origin is that it will be impossible for developers whose resources are loaded cross-site to use the header, even if they fully control the requesting domain.

cc @mikewest

@anforowicz
Copy link
Contributor

anforowicz commented Jan 22, 2019

Also (for helping with prioritization), do you think supporting cross-site Cross-Origin-Resource-Policy (e.g. by making Cross-Origin-Resource-Policy accept literal origins) is more or less important than working on finalizing and implementing Sec-Fetch-Site?

cc @csreis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
addition/proposal needs concrete proposal security/privacy
Development

No branches or pull requests

2 participants