Open Bug 1289387 Opened 9 years ago Updated 1 month ago

Follow up fixes to sendBeacon()'s request mode

Categories

(Core :: DOM: Networking, defect, P3)

Product:
Core
Component:
DOM: Networking
Type:
defect

Tracking

()

People

(Reporter: annevk, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-sop, sec-low, Whiteboard: [domsecurity-backlog3][necko-triaged])

In bug 1280692 we are changing the default request mode for sendBeacon() to "no-cors", falling back to "cors" for Blobs. https://github.com/w3c/beacon/pull/34 changes the sendBeacon() standard to switch on the MIME type of the content rather than special casing blobs. Now while we might want to further change to align with that, another problem here is https://bugs.chromium.org/p/chromium/issues/detail?id=490015 which indicates that Chrome always uses "cors" and therefore does not protect servers against malicious Content-Type headers. So maybe we want to wait until that is resolved before making the "final" decision on sendBeacon()'s security policy.
Correction: Chrome always uses "no-cors", doh.
Priority: -- → P3
Whiteboard: [domsecurity-backlog]
Yeah, for some reason the Google engineers have been really nonchalant about fixing that bug, which is quite strange given that it's a security bug. I would not expect that Chrome will switch to enforcing CORS correctly anytime soon. And they might never if they run into web-compat problems, which is certainly not impossible.
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog3]
Depends on: 1364132

Is this unblocked now that it seems Chrome has fixed their issue?

Flags: needinfo?(annevk)

Yeah this would be good to fix.

Component: DOM: Security → DOM: Networking
Flags: needinfo?(annevk)
Whiteboard: [domsecurity-backlog3] → [domsecurity-backlog3][necko-triaged]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.