Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make TAO a subset of CORS #178

Open
yoavweiss opened this issue Nov 13, 2018 · 5 comments
Open

Make TAO a subset of CORS #178

yoavweiss opened this issue Nov 13, 2018 · 5 comments
Labels
enhancement requires Fetch integration
Projects
Triage
Milestone
Level 3

Comments

@yoavweiss
Copy link
Contributor

The current timing allow check algorithm does not take CORS into account. Effectively that means that even when a response is not opaque and its contents can be inspected by script, its detailed timing information will not be available.

I believe that if a request's response is available for inspection, its timing information cannot reveal any new information, so there's no reason for us to gate it on the presence of TAO headers. Therefore, I propose to further integrate the timing allow check with the CORS check, so that if the latter passes, the former passes as well.

/cc @annevk
@annevk
Copy link
Member

annevk commented Nov 13, 2018

I agree with what you're going for here, but to be clear, you cannot perform a CORS check on an arbitrary response. If you fetch something with mode "cors" and you get a response, all is good. You want https://html.spec.whatwg.org/#cors-same-origin which at some point we should uplift to Fetch I suppose. (This is also what's wrong with the timing allow check and putting the focus on that. It's really a property of the entire fetching process as this kind of check needs to be applied to each applicable redirect, etc.)
@yoavweiss
Copy link
Contributor Author

Discussed on the WG call:

  • This will require a security/privacy review to make sure this doesn't enable any attack scenarios
  • We need to evaluate the impact (AI on @nicjansma & @yoavweiss to gather data)
  • This requires Fetch integration, so makes sense to push this to L3
@yoavweiss yoavweiss added this to the Level 3 milestone Nov 27, 2018
@annevk
Copy link
Member

annevk commented Nov 28, 2018

I don't think it makes sense to continue pushing everyone out that requires Fetch integration, as you're effectively postponing rather critical infrastructure issues.
@yoavweiss yoavweiss mentioned this issue Nov 28, 2018
Closed
@yoavweiss
Copy link
Contributor Author

@annevk - opened #179 as this is an orthogonal discussion to this specific issue. Let's have it there.
@nicjansma
Copy link
Contributor

nicjansma commented Jan 8, 2019
edited
Loading

I did a crawl of the Alexa 1K and split resources out into 4 categories:

  • Fully Visible: Available in ResourceTiming and have full timing information (same-origin or have TAO)
  • Restricted: Available in ResourceTiming and have partial timing (cross-origin without TAO)
    • Allowed by CORS: Restricted entries that have a ACAO header
  • Missing: Not available in ResourceTiming (fetched from a cross-origin IFRAME)

Here's the Alexa 1K totals:

  • Resources: 106,152
    • Fully Visible: 29,497 (27%)
    • Restricted: 56,889 (53.5%)
      • Allowed by CORS: 23,991 (42% of Restricted)
    • Missing: 19,766 (18%)

So if we were to apply the CORS check if TAO is missing, around 42% of Restricted entries could made Fully Visible, and the overall Fully Visible entries might increase from around 27% to around 50%.

(note I didn't verify if the ACAO header satisfies the CORS check, just the existence of one)
@yoavweiss yoavweiss mentioned this issue Jan 31, 2019
Closed
@yoavweiss yoavweiss mentioned this issue Oct 15, 2019
Closed
@npm1 npm1 mentioned this issue Feb 14, 2020
Open
@yoavweiss yoavweiss added this to Triage in Triage May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement requires Fetch integration
3 participants
@yoavweiss @nicjansma @annevk