From a422fe481913c3512590ec716b627c3a1f13811f Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Wed, 21 Mar 2018 13:14:41 -0700 Subject: [PATCH 01/16] CORB: nosniff handling --- fetch.bs | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/fetch.bs b/fetch.bs index 5b3033107..31c775e65 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2346,13 +2346,21 @@ X-Content-Type-Options = "nosniff" ; case-insensitive

  • If destination is "style" and mimeType (ignoring parameters) is not `text/css`, then return blocked. +

  • If destination is + "audio", + "font", + "image", + "track" or + "video" + and mimeType (ignoring parameters) is + a HTML MIME type, + a JSON MIME type or + an XML MIME type (except "image/svg+xml") + then return blocked. +

  • Return allowed. -

    Only request destinations that are -script-like or "style" are considered as any exploits -pertain to them. Also, considering "image" was not compatible with deployed content. -

    Fetching

    From cb50fe9ccc299f5e07b24cb85d89806d3ab47db3 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Fri, 30 Mar 2018 12:07:03 -0700 Subject: [PATCH 02/16] Restrict the changes to cross-origin, non-cors-allowed requests --- fetch.bs | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/fetch.bs b/fetch.bs index 31c775e65..3aa2bba9b 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2346,17 +2346,29 @@ X-Content-Type-Options = "nosniff" ; case-insensitive

  • If destination is "style" and mimeType (ignoring parameters) is not `text/css`, then return blocked. -

  • If destination is - "audio", - "font", - "image", - "track" or - "video" - and mimeType (ignoring parameters) is - a HTML MIME type, - a JSON MIME type or - an XML MIME type (except "image/svg+xml") - then return blocked. +

  • Return blocked if all of the following conditions are met: +

  • Return allowed. From 215954792a680b738b0bd00848785f8b583fd920 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Wed, 18 Apr 2018 08:59:46 -0700 Subject: [PATCH 03/16] Putting CORB into a separate section --- fetch.bs | 119 ++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 96 insertions(+), 23 deletions(-) diff --git a/fetch.bs b/fetch.bs index 3aa2bba9b..155528fe6 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2346,29 +2346,89 @@ X-Content-Type-Options = "nosniff" ; case-insensitive

  • If destination is "style" and mimeType (ignoring parameters) is not `text/css`, then return blocked. -

  • Return blocked if all of the following conditions are met: -

    +

  • Return allowed. + + +

    Only request destinations that are +script-like or "style" are considered as any exploits +pertain to them. Also, considering "image" was not compatible with deployed content. + + +

    Cross-Origin Read Blocking (CORB)

    + +

    Should +response to request be blocked due to CORB?

    + +

    Run these steps: + +

      +

    1. If request's destination is + "document", + "embed" or + "object" + then return allowed. + +

    2. If request's initiator is + "download" + then return allowed. + +

    3. If request's origin + is same origin with + request's current url's origin + then return allowed. + +

    4. If request's current url's origin's + scheme is neither "http" nor "https" + then return allowed. + +

      Checking the scheme of +current url's origin +(rather than of current url's itself) +ensures that blob URIs are handled correctly

      + +

    5. Let allowedOrigin be the result of extracting header values + from the first header whose name + is a byte-case-insensitive match for + `Access-Control-Allow-Origin` + in response's header list. + +

    6. If allowedOrigin is + "*" or + same as request's origin + then return allowed. + +

    7. Let mimeType be the result of extracting a MIME type + from response's header list. + +

    8. Let contentRange be the result of extracting header values + from the first header whose name + is a byte-case-insensitive match for + `Content-Range` + in response's header list. + +

    9. If contentRange is not a failure and + mimeType (ignoring parameters) is + a HTML MIME type or + a JSON MIME type or + an XML MIME type (except "image/svg+xml") + then return blocked. + +

    10. Let nosniff be the result of extracting header values + from the first header whose name + is a byte-case-insensitive match for + `X-Content-Type-Options` + in response's header list. + +

    11. If nosniff is not a failure and + mimeType (ignoring parameters) is + a HTML MIME type or + a JSON MIME type or + an XML MIME type (except "image/svg+xml") or + a "text/plain" MIME type + then return blocked. + + +

    12. Return allowed.

    @@ -2833,6 +2893,19 @@ with a CORS flag and recursive flag, run these steps:
  • should internalResponse to request be blocked due to nosniff +
  • +

    If response is not a network error and + the CORB algorithm returns blocked, + then for both response and internalResponse: +

    +

  • If response is not a network error and either request's method is From 7ac369c7525ba3b241a7967f1c8d127923675f5b Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Mon, 23 Apr 2018 12:53:06 -0700 Subject: [PATCH 04/16] Connecting CORB to step 5 of the main fetch algorithm --- fetch.bs | 64 +++++++++++++++++++++----------------------------------- 1 file changed, 24 insertions(+), 40 deletions(-) diff --git a/fetch.bs b/fetch.bs index 155528fe6..646d6b701 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1156,7 +1156,7 @@ Unless stated otherwise, it is zero.

    A request has an associated response tainting, -which is "basic", "cors", or "opaque". +which is "basic", "corb", "cors", or "opaque". Unless stated otherwise, it is "basic".

    A request has an associated done flag. @@ -1413,6 +1413,21 @@ which is only "accessible" to internal specification algorithms and is never a name is a forbidden response-header name. +

    A CORB filtered response is a +filtered response whose +type is "corb", +header list excludes any +headers in +internal response's +header list whose +name is not a +CORS-safelisted response-header name, +nor a name that starts with "Access-Control-", given +internal response's +CORS-exposed header-name list, +body is null, and +trailer is empty. +

    A CORS filtered response is a filtered response whose type is "cors", @@ -2372,11 +2387,6 @@ pertain to them. Also, considering "image" was not compatible with "download" then return allowed. -

  • If request's origin - is same origin with - request's current url's origin - then return allowed. -

  • If request's current url's origin's scheme is neither "http" nor "https" then return allowed. @@ -2386,27 +2396,10 @@ pertain to them. Also, considering "image" was not compatible with (rather than of current url's itself) ensures that blob URIs are handled correctly

    -

  • Let allowedOrigin be the result of extracting header values - from the first header whose name - is a byte-case-insensitive match for - `Access-Control-Allow-Origin` - in response's header list. - -

  • If allowedOrigin is - "*" or - same as request's origin - then return allowed. -

  • Let mimeType be the result of extracting a MIME type from response's header list. -

  • Let contentRange be the result of extracting header values - from the first header whose name - is a byte-case-insensitive match for - `Content-Range` - in response's header list. - -

  • If contentRange is not a failure and +

  • If response's status is 206 and mimeType (ignoring parameters) is a HTML MIME type or a JSON MIME type or @@ -2806,9 +2799,11 @@ with a CORS flag and recursive flag, run these steps:
    Otherwise
      -

    1. Set request's - response tainting to - "cors". +

    2. If the CORB algorithm + returns blocked, then + set request's response tainting to "corb". + Otherwise + set request's response tainting to "cors".

    3. Return the result of performing an HTTP fetch using request with CORS flag set. @@ -2856,6 +2851,8 @@ with a CORS flag and recursive flag, run these steps:

      "basic"
      basic filtered response +
      "corb" +
      CORB filtered response
      "cors"
      CORS filtered response
      "opaque" @@ -2893,19 +2890,6 @@ with a CORS flag and recursive flag, run these steps:
    4. should internalResponse to request be blocked due to nosniff -
    5. -

      If response is not a network error and - the CORB algorithm returns blocked, - then for both response and internalResponse: -

      -

    6. If response is not a network error and either request's method is From 48de6d8a64dc843c34c98bc562508f1e9da3c01f Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Tue, 24 Apr 2018 08:04:32 -0700 Subject: [PATCH 05/16] Reusing the concept of an opaque filtered response --- fetch.bs | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/fetch.bs b/fetch.bs index 646d6b701..d6d659872 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1156,7 +1156,7 @@ Unless stated otherwise, it is zero.

      A request has an associated response tainting, -which is "basic", "corb", "cors", or "opaque". +which is "basic", "cors", or "opaque". Unless stated otherwise, it is "basic".

      A request has an associated done flag. @@ -1413,21 +1413,6 @@ which is only "accessible" to internal specification algorithms and is never a name is a forbidden response-header name. -

      A CORB filtered response is a -filtered response whose -type is "corb", -header list excludes any -headers in -internal response's -header list whose -name is not a -CORS-safelisted response-header name, -nor a name that starts with "Access-Control-", given -internal response's -CORS-exposed header-name list, -body is null, and -trailer is empty. -

      A CORS filtered response is a filtered response whose type is "cors", @@ -2801,7 +2786,7 @@ with a CORS flag and recursive flag, run these steps:

      1. If the CORB algorithm returns blocked, then - set request's response tainting to "corb". + set request's response tainting to "opaque". Otherwise set request's response tainting to "cors". @@ -2851,8 +2836,6 @@ with a CORS flag and recursive flag, run these steps:

        "basic"
        basic filtered response -
        "corb" -
        CORB filtered response
        "cors"
        CORS filtered response
        "opaque" From 72131891ea84dd0939e4423e2ed85a244b9feac9 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Wed, 25 Apr 2018 08:14:30 -0700 Subject: [PATCH 06/16] Apply CORB only in no-cors mode --- fetch.bs | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/fetch.bs b/fetch.bs index d6d659872..0412fb33b 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2747,9 +2747,22 @@ with a CORS flag and recursive flag, run these steps: response tainting to "opaque". -

      2. Return the result of performing a scheme fetch - using request. +

      3. Let noCorsResponse be the result of performing + a scheme fetch using request. + +

      4. If the CORB algorithm + returns blocked, then set noCorsResponse's + header list to empty and + body to null. +

        To be an effective defense against side channel attacks, + resetting of noCorsResponse's + body and header list + has to take place before the data reaches the process that hosts the cross-origin + browsing context that initiated the request. + +

      5. Return noCorsResponse. +

      request's current url's @@ -2784,11 +2797,9 @@ with a CORS flag and recursive flag, run these steps:
      Otherwise
        -

      1. If the CORB algorithm - returns blocked, then - set request's response tainting to "opaque". - Otherwise - set request's response tainting to "cors". +

      2. Set request's + response tainting to + "cors".

      3. Return the result of performing an HTTP fetch using request with CORS flag set. From 5a7980c56d93e8ed12927a5de3be20b9ae9e2acf Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Wed, 25 Apr 2018 08:22:13 -0700 Subject: [PATCH 07/16] 'no-cors' already excludes navigational requests --- fetch.bs | 6 ------ 1 file changed, 6 deletions(-) diff --git a/fetch.bs b/fetch.bs index 0412fb33b..31cb2acd0 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2362,12 +2362,6 @@ pertain to them. Also, considering "image" was not compatible with

        Run these steps:

          -

        1. If request's destination is - "document", - "embed" or - "object" - then return allowed. -

        2. If request's initiator is "download" then return allowed. From efd0bd68fb74ab7db26c994b25b5cfe14a1102e0 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Wed, 25 Apr 2018 09:08:54 -0700 Subject: [PATCH 08/16] Inject a *new* response and copy over only explicitly mentioned response fields --- fetch.bs | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/fetch.bs b/fetch.bs index 31cb2acd0..a368534e6 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2746,14 +2746,23 @@ with a CORS flag and recursive flag, run these steps:

        3. If the CORB algorithm - returns blocked, then set noCorsResponse's - header list to empty and - body to null. -

          To be an effective defense against side channel attacks, - resetting of noCorsResponse's - body and header list - has to take place before the data reaches the process that hosts the cross-origin - browsing context that initiated the request. + returns blocked, then +

            +

          • Let oldNoCorsResponse hold the old noCorsResponse value. +

          • Set noCorsResponse to a new response + (with default, empty header list and + default, null body). +

            To be an effective defense against side channel attacks, + resetting of noCorsResponse's + body and header list + has to take place before the data reaches the process that hosts the cross-origin + browsing context that initiated the request. +

          • Copy response + type, + url, url list, + status, status message + from oldNoCorsResponse to noCorsResponse. +

        4. Return noCorsResponse. From c4a5a28848d5dcc85b66fbf19fc54f079184f3a1 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 26 Apr 2018 15:18:57 +0200 Subject: [PATCH 09/16] formatting nits --- fetch.bs | 96 +++++++++++++++++++++++++------------------------------- 1 file changed, 43 insertions(+), 53 deletions(-) diff --git a/fetch.bs b/fetch.bs index a368534e6..c4ac126f5 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2362,42 +2362,33 @@ pertain to them. Also, considering "image" was not compatible with

          Run these steps:

            -

          1. If request's initiator is - "download" - then return allowed. +

          2. If request's initiator is "download", then return + allowed. + -

          3. If request's current url's origin's - scheme is neither "http" nor "https" - then return allowed. +

          4. +

            If request's current url's origin's + scheme is not an HTTP(S) scheme, then return allowed. -

            Checking the scheme of -current url's origin -(rather than of current url's itself) -ensures that blob URIs are handled correctly

            +

            Checking the scheme of current url's + origin, rather than of current url's itself, ensures that + blob: URLs are handled correctly.

          5. Let mimeType be the result of extracting a MIME type - from response's header list. - -

          6. If response's status is 206 and - mimeType (ignoring parameters) is - a HTML MIME type or - a JSON MIME type or - an XML MIME type (except "image/svg+xml") - then return blocked. - -

          7. Let nosniff be the result of extracting header values - from the first header whose name - is a byte-case-insensitive match for - `X-Content-Type-Options` - in response's header list. - -

          8. If nosniff is not a failure and - mimeType (ignoring parameters) is - a HTML MIME type or - a JSON MIME type or - an XML MIME type (except "image/svg+xml") or - a "text/plain" MIME type - then return blocked. + from response's header list. + +

          9. If response's status is 206 and + mimeType (ignoring parameters) is an HTML MIME type, a JSON MIME type, or + an XML MIME type, but not "image/svg+xml, then return blocked. + +

          10. Let nosniff be the result of extracting header values from the + first header whose name is a byte-case-insensitive + match for `X-Content-Type-Options` in response's + header list. + +

          11. If nosniff is not a failure and mimeType (ignoring parameters) is + text/plain, an HTML MIME type, a JSON MIME type, or an + XML MIME type, but not image/svg+xml, then return blocked. @@ -2741,31 +2732,30 @@ with a CORS flag and recursive flag, run these steps: response tainting to "opaque". -

          12. Let noCorsResponse be the result of performing - a scheme fetch using request. +

          13. Let noCorsResponse be the result of performing a scheme fetch using + request. -

          14. If the CORB algorithm - returns blocked, then -

              -

            • Let oldNoCorsResponse hold the old noCorsResponse value. -

            • Set noCorsResponse to a new response - (with default, empty header list and - default, null body). -

              To be an effective defense against side channel attacks, - resetting of noCorsResponse's - body and header list - has to take place before the data reaches the process that hosts the cross-origin - browsing context that initiated the request. -

            • Copy response - type, - url, url list, - status, status message - from oldNoCorsResponse to noCorsResponse. -

            +
          15. +

            If noCorsResponse is not a filtered response and + the CORB algorithm returns + blocked, then: -

          16. Return noCorsResponse. +

              +

            1. Let oldNoCorsResponse be noCorsResponse. +

            2. +

              Set noCorsResponse to a new response whose + status is oldNoCorsResponse's status, + HTTPS state is oldNoCorsResponse's + HTTPS state, and CSP list is + oldNoCorsResponse's CSP list. + +

              To be an effective defense against side channel attacks, + oldNoCorsResponse cannot reach the process that initiated the request. +

            + +

          17. Return noCorsResponse.

          request's current url's From f2c604b6adb9631c66eb9e45735686d7b93f3b4e Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 26 Apr 2018 15:48:41 +0200 Subject: [PATCH 10/16] oops --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index c4ac126f5..745b55dfd 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2387,7 +2387,7 @@ pertain to them. Also, considering "image" was not compatible with header list.

        5. If nosniff is not a failure and mimeType (ignoring parameters) is - text/plain, an HTML MIME type, a JSON MIME type, or an + text/plain, an HTML MIME type, a JSON MIME type, or an XML MIME type, but not image/svg+xml, then return blocked. From cf4e5a32b863cd9675eaabcac3e9c21c0becb500 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Mon, 30 Apr 2018 12:08:59 -0700 Subject: [PATCH 11/16] Introductory paragraph and CORB-protected MIME type definition --- fetch.bs | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/fetch.bs b/fetch.bs index 745b55dfd..ac10a141b 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2356,7 +2356,21 @@ pertain to them. Also, considering "image" was not compatible with

          Cross-Origin Read Blocking (CORB)

          -

          Should +

          Cross-Origin Read Blocking (CORB) is an algorithm by which dubious +cross-origin resource loads may be identified and blocked by web browsers +before they reach the web page. CORB reduces the risk of leaking sensitive data +by keeping it further from cross-origin web pages. + +

          CORB-protected MIME type is an HTML MIME type, a JSON MIME type, or + an XML MIME type (but not "image/svg+xml"). + +

          Accessing cross-origin resources with CORB-protected MIME types is either +managed by the CORS protocol (e.g. in case of fetch() or {{XMLHttpRequest}}), +not observable (e.g. in case of pings or CSP reports which ignore the response) or +would result in an error (e.g. when failing to decode as an image an HTML document embedded in an img tag). +This means that CORB can block CORB-protected MIME types resources without being disruptive to web pages. + +

          Should response to request be blocked due to CORB?

          Run these steps: @@ -2370,16 +2384,12 @@ pertain to them. Also, considering "image" was not compatible with

          If request's current url's origin's scheme is not an HTTP(S) scheme, then return allowed. -

          Checking the scheme of current url's - origin, rather than of current url's itself, ensures that - blob: URLs are handled correctly. -

        6. Let mimeType be the result of extracting a MIME type from response's header list.

        7. If response's status is 206 and - mimeType (ignoring parameters) is an HTML MIME type, a JSON MIME type, or - an XML MIME type, but not "image/svg+xml, then return blocked. + mimeType (ignoring parameters) is a CORB-protected MIME type, + then return blocked.

        8. Let nosniff be the result of extracting header values from the first header whose name is a byte-case-insensitive @@ -2387,8 +2397,8 @@ pertain to them. Also, considering "image" was not compatible with header list.

        9. If nosniff is not a failure and mimeType (ignoring parameters) is - text/plain, an HTML MIME type, a JSON MIME type, or an - XML MIME type, but not image/svg+xml, then return blocked. + is a CORB-protected MIME type or "text/plain", + then return blocked. From d010a9902515bb9d4773172ea8842146434d2024 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Fri, 4 May 2018 14:22:58 +0200 Subject: [PATCH 12/16] editorial nits * MIME types are without quotes * No need to talk about current url's origin anymore. --- fetch.bs | 49 ++++++++++++++++++++++--------------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/fetch.bs b/fetch.bs index ac10a141b..c9e783e63 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2354,51 +2354,47 @@ X-Content-Type-Options = "nosniff" ; case-insensitive pertain to them. Also, considering "image" was not compatible with deployed content. -

          Cross-Origin Read Blocking (CORB)

          +

          CORB

          -

          Cross-Origin Read Blocking (CORB) is an algorithm by which dubious -cross-origin resource loads may be identified and blocked by web browsers -before they reach the web page. CORB reduces the risk of leaking sensitive data -by keeping it further from cross-origin web pages. +

          Cross-origin read blocking, better known as CORB, is an algorithm by which dubious +cross-origin resource fetches are identified and blocked before they reach a web page. CORB reduces +the risk of leaking sensitive data by keeping it further from cross-origin web pages. -

          CORB-protected MIME type is an HTML MIME type, a JSON MIME type, or - an XML MIME type (but not "image/svg+xml"). +

          A CORB-protected MIME type is an HTML MIME type, a JSON MIME type, or an +XML MIME type excluding image/svg+xml. -

          Accessing cross-origin resources with CORB-protected MIME types is either -managed by the CORS protocol (e.g. in case of fetch() or {{XMLHttpRequest}}), -not observable (e.g. in case of pings or CSP reports which ignore the response) or -would result in an error (e.g. when failing to decode as an image an HTML document embedded in an img tag). -This means that CORB can block CORB-protected MIME types resources without being disruptive to web pages. +

          Accessing cross-origin resources with CORB-protected MIME types is +managed by the CORS protocol (e.g., in case of fetch() or +{{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the +response), or would result in an error (e.g., when failing to decode an HTML document embedded in an +img tag as an image). This means that CORB can block CORB-protected MIME types +resources without being disruptive to web pages. -

          Should -response to request be blocked due to CORB?

          - -

          Run these steps: +

          To perform a CORB check, given a request and response, +run these steps:

          1. If request's initiator is "download", then return allowed. -

          2. -

            If request's current url's origin's - scheme is not an HTTP(S) scheme, then return allowed. +

          3. If request's current url's scheme is not an + HTTP(S) scheme, then return allowed.

          4. Let mimeType be the result of extracting a MIME type from response's header list.

          5. If response's status is 206 and - mimeType (ignoring parameters) is a CORB-protected MIME type, - then return blocked. + mimeType (ignoring parameters) is a CORB-protected MIME type, then return + blocked.

          6. Let nosniff be the result of extracting header values from the first header whose name is a byte-case-insensitive match for `X-Content-Type-Options` in response's header list. -

          7. If nosniff is not a failure and mimeType (ignoring parameters) is - is a CORB-protected MIME type or "text/plain", - then return blocked. +

          8. If nosniff is not failure and mimeType (ignoring parameters) is a + CORB-protected MIME type or text/plain, then return blocked. @@ -2747,9 +2743,8 @@ with a CORS flag and recursive flag, run these steps:

          9. -

            If noCorsResponse is not a filtered response and - the CORB algorithm returns - blocked, then: +

            If noCorsResponse is not a filtered response and the CORB check + with request and noCorsResponse returns blocked, then:

            1. Let oldNoCorsResponse be noCorsResponse. From 3011eefad35f76fbf80690e180c16620a4968f72 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Fri, 4 May 2018 15:37:02 -0700 Subject: [PATCH 13/16] Adding my name to the Acknowledgments section :-) --- fetch.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/fetch.bs b/fetch.bs index c9e783e63..63c90bc87 100644 --- a/fetch.bs +++ b/fetch.bs @@ -6356,6 +6356,7 @@ Larry Masinter, Liam Brummitt, Louis Ryan, Lucas Gonze, +Łukasz Anforowicz, 呂康豪 (Kang-Hao Lu), Maciej Stachowiak, Malisa, From 188b36edb96de65cdea8910a8bf7d748a304ed44 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Mon, 7 May 2018 11:19:56 -0700 Subject: [PATCH 14/16] Addressed CR feedback from @jakearchibald --- fetch.bs | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/fetch.bs b/fetch.bs index 63c90bc87..33a23feb2 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2356,15 +2356,16 @@ pertain to them. Also, considering "image" was not compatible with

              CORB

              -

              Cross-origin read blocking, better known as CORB, is an algorithm by which dubious -cross-origin resource fetches are identified and blocked before they reach a web page. CORB reduces -the risk of leaking sensitive data by keeping it further from cross-origin web pages. +

              Cross-origin read blocking, better known as CORB, is an algorithm which identifies +dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render +JSON inside an img tag) and blocks them before they reach a web page. CORB reduces the risk of +leaking sensitive data by keeping it further from cross-origin web pages.

              A CORB-protected MIME type is an HTML MIME type, a JSON MIME type, or an XML MIME type excluding image/svg+xml. -

              Accessing cross-origin resources with CORB-protected MIME types is -managed by the CORS protocol (e.g., in case of fetch() or +

              Even without CORB, accessing the content of cross-origin resources with +CORB-protected MIME types is either managed by the CORS protocol (e.g., in case of {{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the response), or would result in an error (e.g., when failing to decode an HTML document embedded in an img tag as an image). This means that CORB can block CORB-protected MIME types @@ -2396,6 +2397,10 @@ run these steps:

            2. If nosniff is not failure and mimeType (ignoring parameters) is a CORB-protected MIME type or text/plain, then return blocked. +

              CORB protects text/plain responses in presence of +nosniff header, but not if status is 206 to avoid +breaking existing websites that serve video resources with text/plain MIME type. + @@ -2742,25 +2747,18 @@ with a CORS flag and recursive flag, run these steps: request. -

            3. -

              If noCorsResponse is not a filtered response and the CORB check - with request and noCorsResponse returns blocked, then: +

            4. If the CORB check with request and noCorsResponse returns + allowed, then return noCorsResponse. -

                -

              1. Let oldNoCorsResponse be noCorsResponse. +

              2. Set corbSanitizedResponse to a new response whose + status is noCorsResponse's status, + HTTPS state is noCorsResponse's HTTPS state, + and CSP list is noCorsResponse's CSP list. -

              3. -

                Set noCorsResponse to a new response whose - status is oldNoCorsResponse's status, - HTTPS state is oldNoCorsResponse's - HTTPS state, and CSP list is - oldNoCorsResponse's CSP list. - -

                To be an effective defense against side channel attacks, - oldNoCorsResponse cannot reach the process that initiated the request. -

              +

              The step above is an effective defense against side channel attacks, + only if noCorsResponse doesn't reach the process that initiated the request. -

            5. Return noCorsResponse. +

            6. Return corbSanitizedResponse.

            request's current url's From 5884f852a9a64b6137772191962e5595b2cc6789 Mon Sep 17 00:00:00 2001 From: Lukasz Anforowicz Date: Mon, 7 May 2018 11:33:35 -0700 Subject: [PATCH 15/16] Skipping CORB response blocking for already filtered responses --- fetch.bs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fetch.bs b/fetch.bs index 33a23feb2..aba1d117d 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2750,6 +2750,9 @@ with a CORS flag and recursive flag, run these steps:

          10. If the CORB check with request and noCorsResponse returns allowed, then return noCorsResponse. +

          11. If noCorsResponse is a filtered response, then return + noCorsResponse. +

          12. Set corbSanitizedResponse to a new response whose status is noCorsResponse's status, HTTPS state is noCorsResponse's HTTPS state, From 862b86db97b31c20bcea872bf59eae65156cb019 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Fri, 11 May 2018 10:27:29 +0200 Subject: [PATCH 16/16] make download issue public; merge filtered step back in; reword a couple things and editorialize --- fetch.bs | 50 +++++++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 23 deletions(-) diff --git a/fetch.bs b/fetch.bs index aba1d117d..15293941d 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2358,8 +2358,8 @@ pertain to them. Also, considering "image" was not compatible with

            Cross-origin read blocking, better known as CORB, is an algorithm which identifies dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render -JSON inside an img tag) and blocks them before they reach a web page. CORB reduces the risk of -leaking sensitive data by keeping it further from cross-origin web pages. +JSON inside an img element) and blocks them before they reach a web page. CORB reduces +the risk of leaking sensitive data by keeping it further from cross-origin web pages.

            A CORB-protected MIME type is an HTML MIME type, a JSON MIME type, or an XML MIME type excluding image/svg+xml. @@ -2368,16 +2368,18 @@ leaking sensitive data by keeping it further from cross-origin web pages. CORB-protected MIME types is either managed by the CORS protocol (e.g., in case of {{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the response), or would result in an error (e.g., when failing to decode an HTML document embedded in an -img tag as an image). This means that CORB can block CORB-protected MIME types -resources without being disruptive to web pages. +img element as an image). This means that CORB can block +CORB-protected MIME types resources without being disruptive to web pages.

            To perform a CORB check, given a request and response, run these steps:

              -

            1. If request's initiator is "download", then return - allowed. - +

            2. +

              If request's initiator is "download", then return + allowed. + +

              If we recast downloading as navigation this step can be removed.

            3. If request's current url's scheme is not an HTTP(S) scheme, then return allowed. @@ -2394,12 +2396,14 @@ run these steps:

              match for `X-Content-Type-Options` in response's header list. -

            4. If nosniff is not failure and mimeType (ignoring parameters) is a - CORB-protected MIME type or text/plain, then return blocked. +

            5. +

              If nosniff is not failure and mimeType (ignoring parameters) is a + CORB-protected MIME type or text/plain, then return blocked. -

              CORB protects text/plain responses in presence of -nosniff header, but not if status is 206 to avoid -breaking existing websites that serve video resources with text/plain MIME type. +

              CORB only protects text/plain responses with a + `X-Content-Type-Options: nosniff` header. Unfortunately, protecting such responses + without that header when their status is 206 would break too many + existing video responses that have a text/plain MIME type. @@ -2747,19 +2751,19 @@ with a CORS flag and recursive flag, run these steps: request. -

            6. If the CORB check with request and noCorsResponse returns - allowed, then return noCorsResponse. - -

            7. If noCorsResponse is a filtered response, then return +

            8. If noCorsResponse is a filtered response or the CORB check with + request and noCorsResponse returns allowed, then return noCorsResponse. -

            9. Set corbSanitizedResponse to a new response whose - status is noCorsResponse's status, - HTTPS state is noCorsResponse's HTTPS state, - and CSP list is noCorsResponse's CSP list. - -

              The step above is an effective defense against side channel attacks, - only if noCorsResponse doesn't reach the process that initiated the request. +

            10. +

              Set corbSanitizedResponse to a new response whose + status is noCorsResponse's status, + HTTPS state is noCorsResponse's + HTTPS state, and CSP list is + noCorsResponse's CSP list. + +

              This is only an effective defense against side channel attacks if + noCorsResponse is kept isolated from the process that initiated the request.

            11. Return corbSanitizedResponse.