noamr
commented
1 year ago This seems like a reasonable direction to me. I'd like to find a way to include DNS prefetch / preconnect as well. Perhaps we can hand-wave at that in a security considerations section, since I don't think the fetch hooks exist at the moment?
I will add a non-handwavy thing for preconnect in fetch, no need to handwave. Probably create a "fake" request just for the purpose of checking it against the policy.
I don't know if dns-prefetch needs this, as doing a DNS check is not really exfiltration (or is it?)
I think once we specify dns-prefetch we can make this happen. Right now that rel is handwavy to begin with...
mikewest
annevk
When prefetching a resource (or preconnecting to an origin), the destination of the request is unknown and also not important.
e.g. if this resource is a script and would be disallowed by
script-src, the directive would be invoked again when the response is about to be consumed and would be rejected then.The only security measure valid for prefetch/preconnect is to avoid exfiltration - i.e. block the request when the default directive blocks this URL and no other directive allows it.
Closes #542