Skip to content

CORB: 3xx redirects, 304, 401, and 407 responses #728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
annevk opened this issue May 22, 2018 · 6 comments
Open

CORB: 3xx redirects, 304, 401, and 407 responses #728

annevk opened this issue May 22, 2018 · 6 comments
Labels
needs tests Moving the issue forward requires someone to write tests security/privacy There are security or privacy implications topic: orb topic: redirects

Comments

@annevk
Copy link
Member

annevk commented May 22, 2018

Should we apply the CORB check to these responses as well?

Currently we only do it for the final response, but if that's not good enough for From-Origin, is it good enough for CORB in general? A test for this would be somewhat involved, but you could imagine:

HTTP/1.1 302 HEY
Location: elsewhere
Content-Type: text/html
X-Content-Type-Options: nosniff
@annevk
Copy link
Member Author

annevk commented May 22, 2018

cc @anforowicz @mikewest @jakearchibald

@mikewest
Copy link
Member

I would not be sad if we blocked redirect responses based on their MIME types. That said, I think we'd need to gather some data to determine how web-compatible it would be to tighten things here. I can imagine that servers accidentally rely on this kind of thing being ignored in the presence of Location headers.

@annevk annevk added the security/privacy There are security or privacy implications label May 22, 2018
@jakearchibald
Copy link
Collaborator

If we're following redirects within fetch, that seems fine from a CORB point of view, since the body isn't going back to the content process.

@anforowicz
Copy link
Contributor

cc @csreis

@annevk annevk added the needs tests Moving the issue forward requires someone to write tests label May 22, 2018
@annevk
Copy link
Member Author

annevk commented May 22, 2018

Whether we do this or not, we should add a test to ensure implementations are consistent.

@annevk annevk mentioned this issue May 17, 2022
Open
@annevk
Copy link
Member Author

annevk commented May 17, 2022

I think I agree that we shouldn't inspect redirects. But in light of #1132 401 and 407 might be important as with the changes discussed there they could reach attacker-controlled processes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs tests Moving the issue forward requires someone to write tests security/privacy There are security or privacy implications topic: orb topic: redirects
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mikewest @jakearchibald @annevk @anforowicz