Closed Bug 1483815 Opened 2 years ago Closed 2 years ago
Implement additional CORS restrictions
47 bytes, text/x-phabricator-request
|Details | Review|
Change to the standard: https://github.com/whatwg/fetch/pull/736. Tests: https://github.com/web-platform-tests/wpt/pull/11432.
https://github.com/whatwg/fetch/pull/829 and https://github.com/web-platform-tests/wpt/pull/13921 complement this further. Both Chrome and Safari have already done some work here and are therefore better at protecting servers. It'd be good to align.
Component: DOM → DOM: Networking
Christoph - can you comment on the priority of this feature?
(In reply to Selena Deckelmann :selenamarie :selena use ni? pronoun: she from comment #2) > Christoph - can you comment on the priority of this feature? I've discussed things with Anne on Slack and I think we should pump up the priority on this one - probably even P1. Finally I also think we should re-open Bug 1447631 and investigate further. Probably :jkt can fix that for us.  https://bugzilla.mozilla.org/show_bug.cgi?id=1447631#c23
Assignee: nobody → jkt
Status: NEW → ASSIGNED
Flags: needinfo?(ckerschb) → needinfo?(jkt)
Priority: P3 → P1
Try push here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=41b883d2f9441b3ec70f2560806584f6b1871b54
2 years ago
Attachment #9024447 - Attachment description: Bug 1483815 - Intial implementation of stricter CORS checking, broken. → Bug 1483815 - Implement stricter CORS checking for headers.
2 years ago
See Also: → 1495880
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/a46028ac9dbb Implement stricter CORS checking for headers. r=ckerschb
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/mozilla-central/rev/ca9df8b30295 Implement stricter CORS checking for headers: set wpt as pass. a=wpt-fix
Note to MDN writers: I've added a note covering this to the Fx 65 rel notes: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/65#Security In terms of the docs, I'm not sure if this needs mentioning on the Accept, Accept-Language, and Content-Language ref pages?
Thanks Chris. Nah currently we didn't mention the existing restrictions so I suspect there isn't much value unless we have a page dedicated to CORS or the safelisted headers that explain it in more detail?
Flags: needinfo?(jkt) → needinfo?(fscholz)
You need to log in before you can comment on or make changes to this bug.