[Webkit-unassigned] [Bug 172748] New: Consider blocking requests to HTTP(S) URLs that contain both `\n` and `<` characters.

Wed May 31 06:29:01 PDT 2017

https://bugs.webkit.org/show_bug.cgi?id=172748

            Bug ID: 172748
           Summary: Consider blocking requests to HTTP(S) URLs that
                    contain both `\n` and `<` characters.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Enhancement
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mkwst at chromium.org
                CC: achristensen at apple.com, bfulgham at webkit.org,
                    wilander at apple.com

In the hopes of mitigating one form of dangling-markup-based exfiltration, Blink plans to block requests whose URLs contained both removable whitespace (`\n`, `\r`, `\t`) _and_ raw less-than (`<`) characters. https://github.com/whatwg/fetch/issues/546 lays out the strategy and justification in more detail, proposed patches to URL and Fetch are up for review at https://github.com/whatwg/url/pull/284 and https://github.com/whatwg/fetch/pull/519 respectively, and Blink's "Intent to Remove" might be helpful: https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ.

CCing achristensen@ who's had helpful comments on the URL patch, though I don't think they're in favor of the exact implementation strategy outlined there. :)

WDYT?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170531/60e44f68/attachment.html>