Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid using the CORS flag to reset request's origin in redirects #594

Merged
merged 4 commits into from
May 28, 2018
Merged

Avoid using the CORS flag to reset request's origin in redirects #594

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9ffa224
Avoid using the CORS flag to reset request's origin in redirects
annevk Aug 31, 2017
49420f8
add tainted origin flag concept
annevk May 24, 2018
e66dfb2
make the preflight cache operate on a serialized origin
annevk May 24, 2018
398ce19
nit
annevk May 24, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
104 changes: 55 additions & 49 deletions fetch.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -950,12 +950,9 @@ user-agent-defined object). Unless otherwise stated it is null.
"<code>client</code>" or an <a for=/>origin</a>. Unless stated otherwise it is
"<code>client</code>".

<p class="note no-backref">"<code>client</code>" is changed to an
<a for=/>origin</a> during <a lt=fetch for=/>fetching</a>. It
provides a convenient way for standards to not have to set
<p class="note no-backref">"<code>client</code>" is changed to an <a for=/>origin</a> during
<a lt=fetch for=/>fetching</a>. It provides a convenient way for standards to not have to set
<a for=/>request</a>'s <a for=request>origin</a>.
<a for=/>Request</a>'s <a for=request>origin</a> can be
changed during redirects too.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-referrer>referrer</dfn>, which is
Expand Down Expand Up @@ -1149,6 +1146,10 @@ determine whether requests or responses are to be blocked in a given context. [[

<hr>

<p>A <a for=/>request</a> has an associated
<dfn for=request id=concept-request-tainted-origin>tainted origin flag</dfn>. Unless stated
otherwise, it is unset.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-url-list>url list</dfn> (a list of one or more
<a for=/>URLs</a>). Unless stated otherwise, it is a list containing a copy of
Expand Down Expand Up @@ -1176,13 +1177,10 @@ Unless stated otherwise, it is unset.

<p class="note no-backref">This flag is for exclusive use by HTML's navigate algorithm. [[!HTML]]

<p class="note no-backref">A <a for=/>request</a>'s
<a for=request>url list</a>,
<a for=request>current url</a>,
<a for=request>redirect count</a>,
<a for=request>response tainting</a>, and
<a>done flag</a> are used as bookkeeping details by the
<a for=/>fetch</a> algorithm.
<p class="note no-backref">A <a for=/>request</a>'s <a for=request>tainted origin flag</a>,
<a for=request>url list</a>, <a for=request>current url</a>, <a for=request>redirect count</a>,
<a for=request>response tainting</a>, and <a for=request>done flag</a> are used as bookkeeping
details by the <a for=/>fetch</a> algorithm.

<hr>

Expand Down Expand Up @@ -1211,6 +1209,19 @@ or "<code>worker</code>".

<hr>

<p><dfn>Serializing a request origin</dfn>, given a <a for=/>request</a> <var>request</var>, is to
run these steps:

<ol>
<li><p>If <var>request</var>'s <a for=request>tainted origin flag</a> is set, then return
`<code>null</code>`.

<li><p>Return <var>request</var>'s <a for=request>origin</a>,
<a lt="ASCII serialization of an origin">serialized</a> and <a>isomorphic encoded</a>.
</ol>

<hr>

<p>To <dfn export for=request id=concept-request-clone>clone</dfn> a
<a for=/>request</a> <var>request</var>, run these steps:

Expand Down Expand Up @@ -1291,6 +1302,7 @@ or "<code>worker</code>".
</ol>
</ol>


<h4 id=responses>Responses</h4>

<p>The result of <a for=/>fetch</a> is a
Expand Down Expand Up @@ -3316,13 +3328,11 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
<a for=request>redirect count</a> by one.

<li><p>If <var>request</var>'s <a for=request>mode</a> is "<code>cors</code>",
<var>request</var>'s <a for=request>origin</a> is <em>not</em>
<a>same origin</a> with <var>actualResponse</var>'s
<a for=response>location URL</a>'s
<a for=url>origin</a>, and <var>actualResponse</var>'s
<a for=response>location URL</a>
<a lt="include credential">includes credentials</a>, then return a
<a>network error</a>.
<var>actualResponse</var>'s <a for=response>location URL</a>
<a lt="include credential">includes credentials</a>, and either <var>request</var>'s
<a for=request>tainted origin flag</a> is set or <var>request</var>'s <a for=request>origin</a> is
not <a>same origin</a> with <var>actualResponse</var>'s <a for=response>location URL</a>'s
<a for=url>origin</a>, then return a <a>network error</a>.

<li>
<p>If <i>CORS flag</i> is set and <var>actualResponse</var>'s
Expand All @@ -3336,10 +3346,11 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
<var>request</var>'s <a for=request>body</a> is non-null, and <var>request</var>'s
<a for=request>body</a>'s <a for=body>source</a> is null, then return a <a>network error</a>.

<li><p>If <i>CORS flag</i> is set and <var>actualResponse</var>'s
<a for=response>location URL</a>'s <a for=url>origin</a> is not <a>same origin</a> with
<var>request</var>'s <a for=request>current url</a>'s <a for=url>origin</a>, then set
<var>request</var>'s <a for=request>origin</a> to a unique <a>opaque origin</a>.
<li><p>If <var>actualResponse</var>'s <a for=response>location URL</a>'s <a for=url>origin</a> is
not <a>same origin</a> with <var>request</var>'s <a for=request>current url</a>'s
<a for=url>origin</a> and <var>request</var>'s <a for=request>origin</a> is not <a>same origin</a>
with <var>request</var>'s <a for=request>current url</a>'s <a for=url>origin</a>, then set
<var>request</var>'s <a for=request>tainted origin flag</a>.

<li><p>If either <var>actualResponse</var>'s <a for=response>status</a> is
<code>301</code> or <code>302</code> and <var>request</var>'s
Expand Down Expand Up @@ -3504,10 +3515,8 @@ Range Requests</cite>. [[HTTP-RANGE]] However, this is not widely supported by b
<li><p>If the <i>CORS flag</i> is set, <var>httpRequest</var>'s <a for=request>method</a> is
neither `<code>GET</code>` nor `<code>HEAD</code>`, or <var>httpRequest</var>'s
<a for=request>mode</a> is "<code>websocket</code>", then <a for="header list">append</a>
`<code>Origin</code>`/<var>httpRequest</var>'s <a for=request>origin</a>,
<a lt="ASCII serialization of an origin">serialized</a> and <a>UTF-8 encoded</a>, to
<var>httpRequest</var>'s <a for=request>header list</a>.
<!-- XXX concept-as-bytes -->
`<code>Origin</code>`/the result of <a>serializing a request origin</a> with
<var>httpRequest</var>, to <var>httpRequest</var>'s <a for=request>header list</a>.

<li><p>If <var>httpRequest</var>'s <a for=request>header list</a>
<a for="header list">does not contain</a> `<code>User-Agent</code>`, then user agents should
Expand Down Expand Up @@ -4140,8 +4149,10 @@ steps:
<a for=request>initiator</a> is <var>request</var>'s <a for=request>initiator</a>,
<a for=request>destination</a> is <var>request</var>'s <a for=request>destination</a>,
<a for=request>origin</a> is <var>request</var>'s <a for=request>origin</a>,
<a for=request>referrer</a> is <var>request</var>'s <a for=request>referrer</a>, and
<a for=request>referrer policy</a> is <var>request</var>'s <a for=request>referrer policy</a>.
<a for=request>referrer</a> is <var>request</var>'s <a for=request>referrer</a>,
<a for=request>referrer policy</a> is <var>request</var>'s <a for=request>referrer policy</a>, and
<a for=request>tainted origin flag</a> is <var>request</var>'s
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change needed?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Never mind, I was wrong, it's needed.

<a for=request>tainted origin flag</a>.

<p class="note no-backref">The <a for=request>service-workers mode</a> of <var>preflight</var>
does not matter as this algorithm uses <a>HTTP-network-or-cache fetch</a> rather than
Expand Down Expand Up @@ -4269,7 +4280,7 @@ steps:
entries where each entry has these fields:

<ul class=brief>
<li><dfn id=concept-cache-origin for=cache>origin</dfn> (an <a for=/>origin</a>)
<li><dfn id=concept-cache-origin for=cache>serialized origin</dfn> (a <a for=/>byte sequence</a>)
<li><dfn id=concept-cache-url for=cache>url</dfn> (a <a for=/>URL</a>)
<li><dfn id=concept-cache-max-age for=cache>max-age</dfn> (a number of seconds)
<li><dfn id=concept-cache-credentials for=cache>credentials</dfn> (a boolean)
Expand All @@ -4288,8 +4299,8 @@ Entries may be removed before that moment arrives.
<var>method</var>, and <var>headerName</var>, do so as follows:

<dl>
<dt><a for=cache>origin</a>
<dd><var>request</var>'s <a for=request>origin</a>
<dt><a for=cache>serialized origin</a>
<dd>The result of <a>serializing a request origin</a> with <var>request</var>

<dt><a for=cache>url</a>
<dd><var>request</var>'s <a for=request>current url</a>
Expand All @@ -4309,25 +4320,21 @@ Entries may be removed before that moment arrives.
<dd><var>headerName</var>
</dl>

<p>To <dfn id=concept-cache-clear for=cache>clear cache entries</dfn>, given a
<var>request</var>, remove any entries in the
<a>CORS-preflight cache</a> whose
<a for=cache>origin</a> is <var>request</var>'s
<a for=request>origin</a> and whose
<a for=cache>url</a> is <var>request</var>'s
<a for=request>current url</a>.
<p>To <dfn id=concept-cache-clear for=cache>clear cache entries</dfn>, given a <var>request</var>,
remove any entries in the <a>CORS-preflight cache</a> whose <a for=cache>serialized origin</a> is
the result of <a>serializing a request origin</a> with <var>request</var> and whose
<a for=cache>url</a> is <var>request</var>'s <a for=request>current url</a>.

<p>There is a <dfn id=concept-cache-match for=cache>cache match</dfn> for
<var>request</var> if <a for=cache>origin</a> is
<var>request</var>'s <a for=request>origin</a>,
<a for=cache>url</a> is <var>request</var>'s
<a for=request>current url</a>, and one of
<p>There is a <dfn id=concept-cache-match for=cache>cache match</dfn> for <var>request</var> if
<a for=cache>serialized origin</a> is the result of <a>serializing a request origin</a> with
<var>request</var>, <a for=cache>url</a> is <var>request</var>'s <a for=request>current url</a>, and
one of

<ul class=brief>
<li><a for=cache>credentials</a> is true
<li><a for=cache>credentials</a> is false and <var>request</var>'s
<a for=request>credentials mode</a> is <em>not</em>
"<code>include</code>"
"<code>include</code>".
</ul>

<p>is true.
Expand Down Expand Up @@ -4374,10 +4381,8 @@ Entries may be removed before that moment arrives.
<a for=request>credentials mode</a> is not
"<code>include</code>" and <var>origin</var> is `<code>*</code>`, return success.

<li><p>If <var>request</var>'s <a for=request>origin</a>,
<a lt="ASCII serialization of an origin">serialized</a> and <a>UTF-8 encoded</a>, is not
<var>origin</var>, return failure.
<!-- XXX concept-as-bytes -->
<li><p>If the result of <a>serializing a request origin</a> with <var>request</var> is not
<var>origin</var>, then return failure.

<li><p>If <var>request</var>'s
<a for=request>credentials mode</a> is not
Expand Down Expand Up @@ -6328,6 +6333,7 @@ Clement Pellerin,
Collin Jackson,
Daniel Robertson,
Daniel Veditz,
David Benjamin,
David Håsäther,
David Orchard,
Dean Jackson,
Expand Down