Have CORP check rely on request's response tainting rather than request's mode #985
Comments
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 18, 2019
[PROTOTYPE] => DO NOT COMMIT. Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 18, 2019
[PROTOTYPE] => DO NOT COMMIT. Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 18, 2019
[PROTOTYPE] => DO NOT COMMIT. Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 19, 2019
[PROTOTYPE] => DO NOT COMMIT. Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 19, 2019
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 19, 2019
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 19, 2019
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 20, 2019
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug:1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
|
Given the check the only caller does today is
per https://fetch.spec.whatwg.org/#ref-for-cross-origin-resource-policy-check perhaps that initial step
is even redundant? I think we should investigate how this should change together with the change to enforce this for a service worker response. |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 20, 2019
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug: 1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913 Auto-Submit: Arthur Sonzogni <[email protected]> Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#726782}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 20, 2019
Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug: 1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913 Auto-Submit: Arthur Sonzogni <[email protected]> Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#726782}
|
Yes, that is a possible approach. Do you think it's better? Regarding the service worker response, it is now part of https://github.com/mikewest/corpp. |
|
I think I would prefer putting all the checks in Fetch, if possible (Fetch gets the response from the service worker and can do it, after all), rather than putting security checks in Service Workers for this. |
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Jan 3, 2020
…estonly Automatic update from web-platform-tests COEP: Enforce CORP in cache.match() Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug: 1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913 Auto-Submit: Arthur Sonzogni <[email protected]> Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#726782} -- wpt-commits: 236e6dbc70e128ab5ff5bad6ab98888281df8ffd wpt-pr: 20840
xeonchen
pushed a commit
to xeonchen/gecko
that referenced
this issue
Jan 3, 2020
…estonly Automatic update from web-platform-tests COEP: Enforce CORP in cache.match() Document using: "Cross-Origin-Embedder-Policy: require-corp" must not access cross-origin response that do not have the header: "Cross-Origin-Resource-Policy: cross-site" This is about only no-cors requests. CORS requests are checked against the CORS headers instead. See: - whatwg/fetch#985 - w3c/ServiceWorker#1490 Bug: 1031542 Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913 Auto-Submit: Arthur Sonzogni <[email protected]> Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#726782} -- wpt-commits: 236e6dbc70e128ab5ff5bad6ab98888281df8ffd wpt-pr: 20840
|
I prefer running a CORP check in cache.match(w3c/ServiceWorker#1490), which means calling it from the SW spec. |
|
Fair, I guess that would be the exception, but I don't think we need it for |
This was referenced Jun 2, 2020
mfreed7
pushed a commit
to mfreed7/html
that referenced
this issue
Sep 11, 2020
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes whatwg#5368, fixes whatwg#5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: whatwg#4916, whatwg#4919, whatwg#4930 whatwg#5223, and whatwg#5391. (As well as defining cross-origin isolated, per whatwg#4732.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Brought up at https://chromium-review.googlesource.com/c/chromium/src/+/1971810, related with w3c/ServiceWorker#1490.
We would like to run the CORP check in CacheStorage for COEP (w3c/ServiceWorker#1490), but currently the CORP check relies on the request mode which is not directly accessible there. request's response tainting is stored as response type and we can use it. What do you think about changing the first item as follows?
If request's response tainting is not "opaque", then return allowed.
In the CacheStorage spec, we will restore a request for the CORP check as follows:
@ArthurSonzogni @wanderview @annevk
The text was updated successfully, but these errors were encountered: