Consider further restricting which headers are allowed in responses blocked by CORB |
|||
Issue descriptionCurrently responses blocked by CORB still retain the following response headers: - cache-control, content-language, content-type, expires, last-modified, pragma (from https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - access-control-* Let's use this bug to investigate if that list can be trimmed down.
,
May 25 2018
FWIW, I've tested manually that the CORB console message still properly reports "text/html" even after stripping out the content-type header. I've also verified that the console message gets broken after tweaking CrossOriginReadBlocking::SanitizeBlockedResponse so that it calls |response->head.mime_type.clear()|. Leaking the MIME type in this way is probably okay.
,
May 25 2018
Thanks! I think this is worthwhile if we don't have another reason to keep CORS safelisted headers (since I think those are about the case that a response is allowed through, rather than anything CORB would need to allow on a blocked response). Best to limit the leak where possible, especially if Content-length has been added as a CORS safeliested header in https://github.com/whatwg/fetch/pull/626. We should probably mention the change on the CORB spec discussion as FYI, and in case anyone spots a reason these headers are needed. Thanks! Looks like CL is in progress here: https://chromium-review.googlesource.com/c/chromium/src/+/1072645
,
Aug 6
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/70077388f9b364d48c6a39af2adaaf917a1a5f63 commit 70077388f9b364d48c6a39af2adaaf917a1a5f63 Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Mon Aug 06 23:18:25 2018 CORB should only retain Access-Control-* response headers. Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: I8e39681139d273c16bc93cd58506bae2314fadd6 Bug: 846839 Reviewed-on: https://chromium-review.googlesource.com/1072645 Commit-Queue: Ćukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#581035} [modify] https://crrev.com/70077388f9b364d48c6a39af2adaaf917a1a5f63/content/browser/loader/cross_site_document_blocking_browsertest.cc [modify] https://crrev.com/70077388f9b364d48c6a39af2adaaf917a1a5f63/content/browser/loader/cross_site_document_resource_handler.cc [modify] https://crrev.com/70077388f9b364d48c6a39af2adaaf917a1a5f63/content/test/data/cross_site_document_blocking/headers-test.json.mock-http-headers [modify] https://crrev.com/70077388f9b364d48c6a39af2adaaf917a1a5f63/services/network/cross_origin_read_blocking.cc [modify] https://crrev.com/70077388f9b364d48c6a39af2adaaf917a1a5f63/services/network/cross_origin_read_blocking.h [modify] https://crrev.com/70077388f9b364d48c6a39af2adaaf917a1a5f63/services/network/cross_origin_read_blocking_explainer.md [modify] https://crrev.com/70077388f9b364d48c6a39af2adaaf917a1a5f63/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/multiple-headers.js [modify] https://crrev.com/70077388f9b364d48c6a39af2adaaf917a1a5f63/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/resources/multiple-headers.php
,
Aug 31
|
|||
►
Sign in to add a comment |
|||
Comment 1 by lukasza@chromium.org
, May 25 2018