From ce08dffdf306ddaee97bb23fbec2aef0569998f4 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 24 May 2018 12:33:40 +0200 Subject: [PATCH 1/3] Define Cross-Origin-Resource-Policy response header This header makes it easier for sites to block unwanted "no-cors" cross-origin requests. Tests: * https://github.com/web-platform-tests/wpt/pull/11171 * https://github.com/web-platform-tests/wpt/pull/11427 * https://github.com/web-platform-tests/wpt/pull/11428 Follow-up: #760. Fixes #687. --- fetch.bs | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/fetch.bs b/fetch.bs index 9468109d0..5d5e094eb 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2517,6 +2517,58 @@ run these steps:

+

`Cross-Origin-Resource-Policy` header

+ +

The +`Cross-Origin-Resource-Policy` +response header can be used to require checking a request's +current url's origin against a request's +origin when request's mode is +"no-cors". + +

Its value ABNF: + +

+Cross-Origin-Resource-Policy     = %x73.61.6D.65.2D.6F.72.69.67.69.6E / %x73.61.6D.65.2D.73.69.74.65 ; "same-origin" / "same-site", case-sensitive
+ +

To perform a cross-origin resource policy check, given a request and +response, run these steps:

+ +
    +
  1. If request's mode is not "no-cors", then return + allowed. + +

  2. +

    If request's origin is same origin with + request's current url's origin, then return + allowed. + +

    A cross-origin response redirecting to a response that is + same origin or same site with the initial request and has a + `Cross-Origin-Resource-Policy` header specified, does not affect + anything. I.e., request's tainted origin flag is not checked. + +

  3. +

    Let policy be the combined value with + `Cross-Origin-Resource-Policy` and response's + header list. + +

    This means that `Cross-Origin-Resource-Policy: same-site, same-origin` + ends up as allowed below as it will never match anything. Two or more + `Cross-Origin-Resource-Policy` headers will have the same effect. + +

  4. If policy is `same-origin`, then return blocked. + +

  5. If request's origin's host is same site + with request's current url's host, then return + allowed. + +

  6. If policy is `same-site`, then return blocked. + +

  7. Return allowed. +

+ +

Fetching

@@ -3850,6 +3902,10 @@ Range Requests. [[HTTP-RANGE]] However, this is not widely supported by b
  • If httpRequest's header list contains `Range`, then set response's range-requested flag. +

  • If the CORS flag is unset and the cross-origin resource policy check with + request and response returns blocked, then return a + network error. +

  • If response's status is 401, CORS flag is unset, credentials flag is set, and request's window is an @@ -6548,6 +6604,7 @@ Jeffrey Yasskin, Jesse M. Heines, Jinho Bang, Jochen Eisinger, +John Wilander, Jonas Sicking, Jonathan Kingston, Jonathan Watt, From e18fa04216bb22dac560fcb555f4ddba471a79ee Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Fri, 8 Jun 2018 13:16:28 +0200 Subject: [PATCH 2/3] prevent HTTPS responses from being accessed without secure transport --- fetch.bs | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/fetch.bs b/fetch.bs index 5d5e094eb..f786f3213 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2559,9 +2559,22 @@ Cross-Origin-Resource-Policy = %x73.61.6D.65.2D.6F.72.69.67.69.6E / %x73.61.

  • If policy is `same-origin`, then return blocked. -

  • If request's origin's host is same site - with request's current url's host, then return - allowed. +

  • +

    If the following are true + +

    + +

    then return allowed. + +

    This prevents HTTPS responses with + `Cross-Origin-Resource-Policy: same-site` from being accessed without secure + transport.

  • If policy is `same-site`, then return blocked. From ed96a170e00b02aa9813cf4e0b0660037917e6b3 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Mon, 18 Jun 2018 14:19:44 +0200 Subject: [PATCH 3/3] rewrite note --- fetch.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fetch.bs b/fetch.bs index f786f3213..308efcd32 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2543,10 +2543,10 @@ Cross-Origin-Resource-Policy = %x73.61.6D.65.2D.6F.72.69.67.69.6E / %x73.61. request's current url's origin, then return allowed. -

    A cross-origin response redirecting to a response that is - same origin or same site with the initial request and has a - `Cross-Origin-Resource-Policy` header specified, does not affect - anything. I.e., request's tainted origin flag is not checked. +

    While redirects that carry a + `Cross-Origin-Resource-Policy` header are checked, redirects + without such a header resulting in response do not contribute to this algorithm. I.e., + request's tainted origin flag is not checked.

  • Let policy be the combined value with