Should we ignore invalid values? #54
Comments
|
I think this is a reasonable approach, and IMHO the spec may be a little too defensive when it comes to avoiding breakage due to unknown values. My guess is that at least for I'm not sure if there's much to do here other than possibly softening the wording, but we should keep this in mind if/when we consider adding new values to |
I have some doubts. I don't want to launch the topic here (for this version of the spec), but other values that would find interesting use cases would be something like |
|
I'm going to close this out, as I think it's something to consider only if/when we add new values to existing headers. At the moment, that doesn't look terribly likely for |
For each header the spec says: "In order to support forward-compatibility with as-yet-unknown request types, servers SHOULD ignore this header if it contains an invalid value."
I think it is really dangerous: when developers adopt this standard they will use it as a real security feature, because, as the spec says, CSRF is really difficult to solve without this spec.
Now imagine that a new spec version adds a different value: all deployed servers that implement the old specification will offer a security hole or be unusable (depending on how developers check the values as black list or white list).
Proposal:
Sec-Fetch-Site(and probably others), a new spec version will never add a different value BUT could sub-divide a value in a more specific category with a suffix. Example:cross-site/case-1,cross-site/case-2.startsWith()function.The text was updated successfully, but these errors were encountered: