Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about tainted origin flag #953

Closed
npm1 opened this issue Oct 24, 2019 · 6 comments · Fixed by #963
Closed

Question about tainted origin flag #953

npm1 opened this issue Oct 24, 2019 · 6 comments · Fixed by #963

Comments

@npm1
Copy link
Contributor

npm1 commented Oct 24, 2019

In step 10 of https://fetch.spec.whatwg.org/#concept-http-redirect-fetch it says If actualResponse’s location URL’s origin is not same origin with request’s current URL’s origin and request’s origin is not same origin with request’s current URL’s origin, then set request’s tainted origin flag.

I thought that the tainted origin flag is meant to capture whether there are cross origin redirects, is that true? If it is, why is the second check needed? Thanks in advance!
@yutakahirano
Copy link
Member

I think the tainted origin flag is not what you want.

You can check request's response tainting to see whether there is a "cross-origin request" in the redirect chain.

@annevk
Copy link
Member

annevk commented Oct 25, 2019

@npm1 if I remember correctly, that captures that if A1 requests A2 and A2 redirects to B, the origin isn't tainted. There's a PR where this is discussed in more detail which can probably be found via blame.

@npm1
Copy link
Contributor Author

npm1 commented Oct 25, 2019

Found the PR, it's #594. Resource Timing's w3c/resource-timing#214 was supposed to implement similar checks but instead seems to be implementing something different. @yoavweiss it seems the origin only becomes tainted after two cross origin changes, not one. So to match CORS, should https://w3c.github.io/resource-timing/#dfn-timing-allow-check be changed to be less restrictive?

@annevk
Copy link
Member

annevk commented Oct 25, 2019

Yeah, I'm not sure I understand that language. Perhaps it's worth considering merging TAO into Fetch at this point? I don't think it would be all that hard and I think it would put an end to the continued confusion we've been having around this.

@npm1
Copy link
Contributor Author

npm1 commented Oct 29, 2019

Ok, I will send a PR to add a 'TAO check' in Fetch. Reading the CORS check, it depends on serialization of origin which depends on the tainted origin flag, so we should be using that if the intent is to follow CORS logic. This means the current tainted bool in ResourceTiming is too restrictive, as any cross-origin change would set it.

@annevk annevk closed this as completed Nov 8, 2019
@annevk annevk reopened this Nov 8, 2019
@annevk
Copy link
Member

annevk commented Nov 8, 2019

I think there's something wrong about the origin tainted flag though in that some of the text suggests it serves a similar purpose to the response tainting flag, which I think is more what you were after. I should straighten that out.

annevk added a commit that referenced this issue Nov 11, 2019
@annevk
Editorial: mention the tainted origin flag less
d8ac077 
Closes #953.
@annevk annevk mentioned this issue Nov 11, 2019
Merged
annevk added a commit that referenced this issue Nov 14, 2019
@annevk
Editorial: mention the tainted origin flag less
2f496b5 
Closes #953.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Editorial: mention the tainted origin flag less whatwg/fetch
3 participants
@annevk @yutakahirano @npm1