Prevent cross-origin sensitive header probing #1434
Conversation
yoavweiss
changed the title
There was a problem hiding this comment.
I think it'd be good to discuss the overall approach, before diving into the details (which need some work):
- What headers do we want to limit? All
Sec-headers? More? - What size do we want to limit them to? IIUC from the issue comments we want them to share the limit with Referer. Is that correct?
- What request modes and credentials modes are impacted?
- What happens if the limits are passed? Do we want to preflight? kill the request? Drop some headers?
|
@yoavweiss ready for another look |
|
@annevk for further review |
|
@annevk Have any time to take a look? |
There was a problem hiding this comment.
It seems this is only meant to impact CORS, but wouldn't some of these client hints be added to navigations and such? Some of these headers are added quite late in the game too (e.g., Cookie and Authorization) and I'm not sure how that would work given the envisioned setup.
|
Also somehow the Build bot hasn't run for your latest commit. Perhaps rebasing will help with that? |
"First-time contributors need a maintainer to approve running workflows." |
Ah, does this require integration in the HTTP spec as well? |
|
Is the proposal to make CORS depend on Cookie and Authorization header? Did you have an implementation in mind? I also don't see how that could work in, say, Chromium. Authorization headers are especially fun because HTTP auth can cause a single high-level request to actually contact the server multiple times. (Some auth methods may require several requests.) And then the HTTP stack might itself add others headers like If-None-Match for caching, etc. Caching, for that matter, can also require multiple requests in some cases. I suspect limits for headers applied deep in HTTP would need to be applied separately, and you wouldn't be able to use preflights as an escape hatch. I think they'd have to be hard limits. And then the value servers need to set would be the sum of every layer's limits. |
No, Fetch defines most of the networking architecture of a browser, including navigations (" |
The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (
AuthorizationorCookie) by adding headers to cross-site requests until the total size of all HTTP request headers exceeds the server side limit. In order for this approach to succeed, servers should not set a HTTP request headers size limit below 8KB.closes WICG/client-hints-infrastructure#100
(See WHATWG Working Mode: Changes for more details.)
Preview | Diff