To add another layer of defense against cross-origin timing attacks, we should add language along the lines of:
When the server receives a sec-bikeshed-dictionary-available: sha256=:<hash>: request that includes an authority or origin as well as a referer request headers and where the referer is cross-origin, the dictionary may only be used for compression if the response headers includes an Access-Control-Allow-Origin: that includes the origin from the referer header.
It could be tweaked to use different sec-* headers to detect the cross-origin nature of the request but the requirement is to prevent servers from even sending responses using dictionary compression that should be opaque (and opening up the possibility of a timing attack).
To add another layer of defense against cross-origin timing attacks, we should add language along the lines of:
When the server receives a
sec-bikeshed-dictionary-available: sha256=:<hash>:
request that includes anauthority
ororigin
as well as areferer
request headers and where thereferer
is cross-origin, the dictionary may only be used for compression if the response headers includes anAccess-Control-Allow-Origin:
that includes the origin from thereferer
header.It could be tweaked to use different
sec-*
headers to detect the cross-origin nature of the request but the requirement is to prevent servers from even sending responses using dictionary compression that should be opaque (and opening up the possibility of a timing attack).