Skip to content

Commit

Permalink
Define Cross-Origin-Resource-Policy response header
Browse files Browse the repository at this point in the history
This header makes it easier for sites to block unwanted "no-cors" cross-origin requests.

Tests: ...

Fixes #687.
  • Loading branch information
annevk committed May 30, 2018
1 parent ffbaefb commit f31e50a
Showing 1 changed file with 57 additions and 0 deletions.
57 changes: 57 additions & 0 deletions fetch.bs
Original file line number Diff line number Diff line change
Expand Up @@ -2514,6 +2514,58 @@ run these steps:</p>
</ol>


<h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>

<p>The
`<dfn export http-header id=http-cross-origin-resource-policy><code>Cross-Origin-Resource-Policy</code></dfn>`
response <a for=/>header</a> can be used to require checking a <a for=/>request</a>'s
<a for=request>current url</a>'s <a for=url>origin</a> against a <a for=/>request</a>'s
<a for=request>origin</a> when <a for=/>request</a>'s <a for=request>mode</a> is
"<code>no-cors</code>".

<p>Its <a for=header>value</a> <a>ABNF</a>:

<pre>
Cross-Origin-Resource-Policy = %x73.61.6D.65 / %x73.61.6D.65.2D.73.69.74.65 ; "same" / "same-site", case-sensitive</pre>

<p>To perform a <dfn>cross-origin resource policy check</dfn>, given a <var>request</var> and
<var>response</var>, run these steps:</p>

<ol>
<li><p>If <var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>", then return
<b>allowed</b>.

<li>
<p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with
<var>request</var>'s <a for=request>current url</a>'s <a for=url>origin</a>, then return
<b>allowed</b>.

<p class="note no-backref">A cross-origin response redirecting to a response that is
<a>same origin</a> or <a>same site</a> with the initial request and has a
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header specified, does not affect
anything. I.e., <var>request</var>'s <a for=request>tainted origin flag</a> is not checked.

<li>
<p>Let <var>policy</var> be the <a>combined value</a> with
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` and <var>response</var>'s
<a for=response>header list</a>.

<p class=note>This means that `<code>Cross-Origin-Resource-Policy: same-site, same</code>` ends up
as <b>allowed</b> below as it will never match anything. Two or more
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` headers will have the same effect.

<li><p>If <var>policy</var> is `<code>same</code>`, then return <b>blocked</b>.

<li><p>If <var>request</var>'s <a for=request>origin</a>'s <a for=url>host</a> is <a>same site</a>
with <var>request</var>'s <a for=request>current url</a>'s <a for=url>host</a>, then return
<b>allowed</b>.

<li><p>If <var>policy</var> is `<code>same-site</code>`, then return <b>blocked</b>.

<li><p>Return <b>allowed</b>.
</ol>



<h2 id=fetching>Fetching</h2>

Expand Down Expand Up @@ -3837,6 +3889,10 @@ Range Requests</cite>. [[HTTP-RANGE]] However, this is not widely supported by b
<li><p>If <var>httpRequest</var>'s <a for=request>header list</a> <a for="header list">contains</a>
`<code>Range</code>`, then set <var>response</var>'s <a for=response>range-requested flag</a>.

<li><p>If the <i>CORS flag</i> is unset and the <a>cross-origin resource policy check</a> with
<var>request</var> and <var>response</var> returns <b>blocked</b>, then return a
<a>network error</a>.

<li>
<p>If <var>response</var>'s <a for=response>status</a> is <code>401</code>, <i>CORS flag</i>
is unset, <i>credentials flag</i> is set, and <var>request</var>'s <a for=request>window</a> is an
Expand Down Expand Up @@ -6535,6 +6591,7 @@ Jeffrey Yasskin,
Jesse M. Heines,
Jinho Bang,
Jochen Eisinger,
John Wilander,
Jonas Sicking,
Jonathan Kingston,
Jonathan Watt,
Expand Down

0 comments on commit f31e50a

Please sign in to comment.