| 06:29 | <annevk> | jub0bs: there is https://fetch.spec.whatwg.org/#http-cors-protocol still |
| 06:31 | <annevk> | jub0bs: I think I wrote it anew because the old approach wasn't really liked by server developers, but I'm not entirely sure |
| 09:02 | <jub0bs> | Thanks annevk; that actually helps. |
| 13:21 | <smaug> | annevk: wasn't your test correct and then someone broke it? https://searchfox.org/mozilla-central/source/testing/web-platform/tests/html/infrastructure/safe-passing-of-structured-data/shared-array-buffers/blob-data.https.html#109 |
| 13:30 | <smaug> | or perhaps I'm missing something? Chrome has had issues with data: urls elsewhere, like https://github.com/w3c/webappsec-secure-contexts/issues/69#issuecomment-585780599 |
| 13:32 | <annevk> | smaug: the most significant change I can find is https://github.com/web-platform-tests/wpt/commit/ce281cc3f32d8e93ecbb33a51321d846ee2aae37 |
| 13:32 | <smaug> | right. The question is how data: workers should behave |
| 13:34 | <smaug> | er, I was missing something |
| 13:34 | <smaug> | "If is shared is false and response's url's scheme is "data", then set worker global scope's cross-origin isolated capability to false." |
| 13:35 | <annevk> | I'm not sure if Firefox has the "capability" feature, that got added a bit later |
| 13:35 | <annevk> | It also had some wrinkles around shared/service workers that might not be sorted yet spec-wise |
| 15:14 | <jub0bs> | annevk: In connection with my earlier question: I think one reason why many people find debugging CORS issues frustrating is that CORS-middleware developers followed that resource-processing model to the letter, and never relaxed their implementation when the spec moved to the Fetch standard. |
| 15:19 | <jub0bs> | One example: Alice configures CORS on
which is true but a bit misleading about the actual reason why the server didn't respond with the required CORS headers (i.e. that request header |
| 15:23 | <jub0bs> | In my experience, many CORS-related questions asked on Stack Overflow stem from this design decision. But that's not inevitable. A CORS middleware library could reply with
|
| 15:23 | <annevk> | From a theoretical perspective it does seem better to not reveal any information though in such a scenario. |
| 15:24 | <jub0bs> | What are you concerned about, specifically? Some side channel? |
| 15:25 | <annevk> | Yeah. But you're right that it would make specialized error messages harder. Either way browsers could do more than they are doing and list all the required headers. And middleware could probably offer debug and strict modes. |
| 15:27 | <jub0bs> | I've thought about offering debug/strict modes in my CORS middleware, but I'm not 100% convinced. My users would have to know the option exists, activate it, redeploy, test, then deactivate it and redeploy once more. And I'm not sure whether (or how quickly) browser vendors could be convinced to produce more informative error messages, to be honest... |
| 15:29 | <jub0bs> | Since nothing much happens during preflight on the server side (as the CORS middleware should handle the preflight request rather than passing it on to the next handler in the chain), I'm wondering whether worrying about side-channel attacks during preflight is justified. Do you know of such attacks? I know the Fetch standard mentions that possibility:
But has it ever been an issue in practice? |
| 16:02 | <annevk> | I'm not sure what you mean. The side channel is there whether you use a 403 or not. |
| 16:07 | <jub0bs> | True, the status code is irrelevant. But what kind of useful information could be gleaned by an attacker if the server included the ACAO header (and possibly ACAM and ACAH with "partial" values) in the response despite a failure of CORS preflight? Or is the side-channel attack you're worried about something else entirely? |
| 16:33 | <annevk> | It's separate, but maybe it would be better to remove it as for preflights it doesn't matter too much as you say. |
| 16:48 | <jub0bs> | Thanks for clarifying. That's great. |
| 16:50 | <jugglinmike> | annevk: https://github.com/whatwg/infra/issues/518 -- I'm mentioning that here mostly in case other folks are following along |
| 16:52 | <jub0bs> | annevk: I'm currently writing a blog post about my design philosophy for my CORS middleware library. Do you mind if I mention your name (along with Jake's, who also helped me understand a few subtleties) in the acknowledgements? I intend to specify that such an acknowledgement does not count as an endorsement of my library on your part 😇 |
| 17:40 | <annevk> | jub0bs: sure |
| 17:40 | <annevk> | jugglinmike: ta |
| 17:42 | <jub0bs> | Yes. I think this passage deserves at least some clarification:
In particular, I'm not sure myself what "denote this" refers to... |
| 17:45 | <annevk> | jub0bs: can you file an issue? |
| 17:45 | <annevk> | I can fix, but not today |
| 18:22 | <jub0bs> | annevk: I sure can! There's no rush for you to fix it, though. Done: https://github.com/whatwg/fetch/issues/1588 |