From 25fde4f5001feb1c5a2866354de6ccf021af9f30 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Thu, 26 Oct 2017 07:33:52 -0700 Subject: [PATCH 1/5] Document CORS safelist exceptions As discussed in https://github.com/whatwg/fetch/issues/567, browsers have allowed various cross-origin requests with non-safelisted Content-Type header values to be sent without CORS preflights. These have occurred either by accident (and now can't be reversed for compatibility reasons) or because of design constraints (requests that are implemented outside of the web platform layer). These CORS exceptions are believed to be safe, but the spec should document them so that servers know to expect them. I've added a note about the Content-Type exceptions, but haven't added them to the safelist, because doing so would imply that web content can triggers requests with these Content-Type headers and arbitrary bodies. We don't want to allow fully attacker-controlled requests with these headers, but rather just want to document the current state where web content can trigger the requests but not control the headers or bodies. --- fetch.bs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/fetch.bs b/fetch.bs index b6e797a21..b2feeff9f 100644 --- a/fetch.bs +++ b/fetch.bs @@ -445,6 +445,14 @@ whose name is a byte-case-insensitive match for one of

and whose value, once extracted, is not failure. +

Browsers allow limited exceptions to the CORS safelist for non-safelisted +`Content-Type` values. These exceptions are made for requests that can be triggered by +web content but whose headers and bodies can be only minimally controlled by the web content. +Therefore, servers should expect cross-origin web content to be allowed to trigger non-preflighted +requests with the following non-safelisted `Content-Type` values: +`application/csp-report`, `application/report`, +`application/expect-ct-report+json`, `application/ocsp-request`. +

A CORS non-wildcard request-header name is a byte-case-insensitive match for `Authorization`. From fb97ea330f0cd770561b0a51754bae8539ae2ad0 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Fri, 27 Oct 2017 10:30:55 -0700 Subject: [PATCH 2/5] Move to its own normative section --- fetch.bs | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/fetch.bs b/fetch.bs index b2feeff9f..f3bbc09d8 100644 --- a/fetch.bs +++ b/fetch.bs @@ -445,13 +445,8 @@ whose name is a byte-case-insensitive match for one of

and whose value, once extracted, is not failure. -

Browsers allow limited exceptions to the CORS safelist for non-safelisted -`Content-Type` values. These exceptions are made for requests that can be triggered by -web content but whose headers and bodies can be only minimally controlled by the web content. -Therefore, servers should expect cross-origin web content to be allowed to trigger non-preflighted -requests with the following non-safelisted `Content-Type` values: -`application/csp-report`, `application/report`, -`application/expect-ct-report+json`, `application/ocsp-request`. +

There are limited exceptions to the `Content-Type` safelist, as +documented in CORS protocol exceptions.

A CORS non-wildcard request-header name is a byte-case-insensitive match for `Authorization`. @@ -2234,6 +2229,19 @@ Access-Control-Allow-Credentials: true ignored. +

CORS protocol exceptions

+ +

Specifications have allowed limited exceptions to the CORS safelist for non-safelisted +`Content-Type` values. These exceptions are made for requests that can be triggered by +web content but whose headers and bodies can be only minimally controlled by the web content. +Therefore, servers should expect cross-origin web content to be allowed to trigger non-preflighted +requests with the following non-safelisted `Content-Type` values: +`application/csp-report`, `application/report`, +`application/expect-ct-report+json`, `application/ocsp-request`. + +

Specifications should avoid introducing new exceptions and should only do so with careful +consideration for the security consequences. +

`X-Content-Type-Options` header

From 84322dbfe1ec325be5b85474c1bbd6e38f7299df Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Fri, 3 Nov 2017 10:05:00 -0700 Subject: [PATCH 3/5] address annevk's comments --- fetch.bs | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/fetch.bs b/fetch.bs index f3bbc09d8..40bf97a14 100644 --- a/fetch.bs +++ b/fetch.bs @@ -445,7 +445,7 @@ whose name is a byte-case-insensitive match for one of

and whose value, once extracted, is not failure. -

There are limited exceptions to the `Content-Type` safelist, as +

There are limited exceptions to the `Content-Type` header safelist, as documented in CORS protocol exceptions.

A CORS non-wildcard request-header name is a byte-case-insensitive match @@ -2232,15 +2232,16 @@ Access-Control-Allow-Credentials: true

CORS protocol exceptions

Specifications have allowed limited exceptions to the CORS safelist for non-safelisted -`Content-Type` values. These exceptions are made for requests that can be triggered by -web content but whose headers and bodies can be only minimally controlled by the web content. -Therefore, servers should expect cross-origin web content to be allowed to trigger non-preflighted -requests with the following non-safelisted `Content-Type` values: -`application/csp-report`, `application/report`, -`application/expect-ct-report+json`, `application/ocsp-request`. +`Content-Type` header values. These exceptions are made for requests that can be +triggered by web content but whose headers and bodies can be only minimally controlled by the web +content. Therefore, servers should expect cross-origin web content to be allowed to trigger +non-preflighted requests with the following non-safelisted `Content-Type` header +values: `application/csp-report`, `application/report`, +`application/expect-ct-report+json`, and `application/ocsp-request`.

Specifications should avoid introducing new exceptions and should only do so with careful -consideration for the security consequences. +consideration for the security consequences. New exceptions can be proposed by +filing an issue.

`X-Content-Type-Options` header

From f69511840aca2267ebea302bb38220994adc1b02 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Fri, 17 Nov 2017 16:55:09 -0800 Subject: [PATCH 4/5] add references --- fetch.bs | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index 40bf97a14..45f7e87fe 100644 --- a/fetch.bs +++ b/fetch.bs @@ -97,6 +97,22 @@ url: https://tools.ietf.org/html/rfc7234#section-1.2.1;text:delta-seconds;type:d "publisher": "US-CERT", "href": "https://www.kb.cert.org/vuls/id/150227", "title": "HTTP proxy default configurations allow arbitrary TCP connections." + }, + "REPORTING": { + "authors": ["Ilya Grigorik", "Mike West"], + "href": "https://wicg.github.io/reporting/", + "title": "Reporting API" + }, + "EXPECT-CT": { + "authors": [ + "Emily Stark" + ], + "href": "https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02", + "publisher": "IETF", + "title": "Expect-CT Extension for HTTP" + }, + "OCSP": { + "aliasOf": "RFC2560" } } @@ -2236,8 +2252,10 @@ Access-Control-Allow-Credentials: true triggered by web content but whose headers and bodies can be only minimally controlled by the web content. Therefore, servers should expect cross-origin web content to be allowed to trigger non-preflighted requests with the following non-safelisted `Content-Type` header -values: `application/csp-report`, `application/report`, -`application/expect-ct-report+json`, and `application/ocsp-request`. +values: +`application/csp-report` [[CSP]], `application/report` [[REPORTING]], +`application/expect-ct-report+json` [[EXPECT-CT]], +`application/xss-auditor-report`, and `application/ocsp-request` [[OCSP]].

Specifications should avoid introducing new exceptions and should only do so with careful consideration for the security consequences. New exceptions can be proposed by From 3d17f9fc0b100c809858b0a70ffea9a50cb58bd5 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Mon, 20 Nov 2017 11:00:50 -0800 Subject: [PATCH 5/5] reformat as a list --- fetch.bs | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/fetch.bs b/fetch.bs index 45f7e87fe..d91af2df9 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2253,9 +2253,14 @@ triggered by web content but whose headers and bodies can be only minimally cont content. Therefore, servers should expect cross-origin web content to be allowed to trigger non-preflighted requests with the following non-safelisted `Content-Type` header values: -`application/csp-report` [[CSP]], `application/report` [[REPORTING]], -`application/expect-ct-report+json` [[EXPECT-CT]], -`application/xss-auditor-report`, and `application/ocsp-request` [[OCSP]]. + +

    +
  • `application/csp-report` [[CSP]] +
  • `application/report` [[REPORTING]] +
  • `application/expect-ct-report+json` [[EXPECT-CT]] +
  • `application/xss-auditor-report` +
  • `application/ocsp-request` [[OCSP]] +

Specifications should avoid introducing new exceptions and should only do so with careful consideration for the security consequences. New exceptions can be proposed by