-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Have CORP check rely on request's response tainting rather than request's mode #985
Comments
[PROTOTYPE] => DO NOT COMMIT. Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
[PROTOTYPE] => DO NOT COMMIT. Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
[PROTOTYPE] => DO NOT COMMIT. Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
[PROTOTYPE] => DO NOT COMMIT. Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Given the check the only caller does today is
per https://fetch.spec.whatwg.org/#ref-for-cross-origin-resource-policy-check perhaps that initial step
is even redundant? I think we should investigate how this should change together with the change to enforce this for a service worker response. |
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug: 1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913 Auto-Submit: Arthur Sonzogni <[email protected]> Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#726782}
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug: 1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913 Auto-Submit: Arthur Sonzogni <[email protected]> Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#726782}
Yes, that is a possible approach. Do you think it's better? Regarding the service worker response, it is now part of https://github.com/mikewest/corpp. |
I think I would prefer putting all the checks in Fetch, if possible (Fetch gets the response from the service worker and can do it, after all), rather than putting security checks in Service Workers for this. |
…estonly Automatic update from web-platform-tests COEP: Enforce CORP in cache.match() Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug: 1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913 Auto-Submit: Arthur Sonzogni <[email protected]> Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#726782} -- wpt-commits: 236e6dbc70e128ab5ff5bad6ab98888281df8ffd wpt-pr: 20840
…estonly Automatic update from web-platform-tests COEP: Enforce CORP in cache.match() Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug: 1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913 Auto-Submit: Arthur Sonzogni <[email protected]> Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#726782} -- wpt-commits: 236e6dbc70e128ab5ff5bad6ab98888281df8ffd wpt-pr: 20840
I prefer running a CORP check in cache.match(w3c/ServiceWorker#1490), which means calling it from the SW spec. |
Fair, I guess that would be the exception, but I don't think we need it for |
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes whatwg#5368, fixes whatwg#5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: whatwg#4916, whatwg#4919, whatwg#4930 whatwg#5223, and whatwg#5391. (As well as defining cross-origin isolated, per whatwg#4732.)
Brought up at https://chromium-review.googlesource.com/c/chromium/src/+/1971810, related with w3c/ServiceWorker#1490.
We would like to run the CORP check in CacheStorage for COEP (w3c/ServiceWorker#1490), but currently the CORP check relies on the request mode which is not directly accessible there. request's response tainting is stored as response type and we can use it. What do you think about changing the first item as follows?
If request's response tainting is not "opaque", then return allowed.
In the CacheStorage spec, we will restore a request for the CORP check as follows:
@ArthurSonzogni @wanderview @annevk
The text was updated successfully, but these errors were encountered: