fetch icon indicating copy to clipboard operation
fetch copied to clipboard
verified publisher icon whatwg

Prevent cross-origin sensitive header probing

Open arichiv opened this issue 3 years ago • 8 comments

The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (Authorization or Cookie) by adding headers to cross-site requests until the total size of all HTTP request headers exceeds the server side limit. In order for this approach to succeed, servers should not set a HTTP request headers size limit below 8KB.

closes https://github.com/WICG/client-hints-infrastructure/issues/100

  • [ ] At least two implementers are interested (and none opposed):
  • [ ] Tests are written and can be reviewed and commented upon at:
  • [ ] Implementation bugs are filed:
    • Chrome: …
    • Firefox: …
    • Safari: …
    • Deno (not for CORS changes): …

(See WHATWG Working Mode: Changes for more details.)

Preview | Diff

arichiv avatar May 03 '22 18:05 arichiv

@yoavweiss ready for another look

arichiv avatar May 31 '22 15:05 arichiv

@annevk for further review

arichiv avatar Jun 29 '22 09:06 arichiv

@annevk Have any time to take a look?

arichiv avatar Aug 17 '22 13:08 arichiv

Also somehow the Build bot hasn't run for your latest commit. Perhaps rebasing will help with that?

annevk avatar Sep 26 '22 11:09 annevk

Also somehow the Build bot hasn't run for your latest commit. Perhaps rebasing will help with that?

"First-time contributors need a maintainer to approve running workflows."

arichiv avatar Oct 05 '22 14:10 arichiv

It seems this is only meant to impact CORS, but wouldn't some of these client hints be added to navigations and such? Some of these headers are added quite late in the game too (e.g., Cookie and Authorization) and I'm not sure how that would work given the envisioned setup.

Ah, does this require integration in the HTTP spec as well?

arichiv avatar Oct 05 '22 14:10 arichiv

Is the proposal to make CORS depend on Cookie and Authorization header? Did you have an implementation in mind? I also don't see how that could work in, say, Chromium. Authorization headers are especially fun because HTTP auth can cause a single high-level request to actually contact the server multiple times. (Some auth methods may require several requests.) And then the HTTP stack might itself add others headers like If-None-Match for caching, etc. Caching, for that matter, can also require multiple requests in some cases.

I suspect limits for headers applied deep in HTTP would need to be applied separately, and you wouldn't be able to use preflights as an escape hatch. I think they'd have to be hard limits. And then the value servers need to set would be the sum of every layer's limits.

davidben avatar Oct 05 '22 15:10 davidben

Ah, does this require integration in the HTTP spec as well?

No, Fetch defines most of the networking architecture of a browser, including navigations ("navigate") and "no-cors" requests.

annevk avatar Oct 07 '22 09:10 annevk