[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [meek/master] Set some safety defaults for fetch.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [meek/master] Set some safety defaults for fetch.
From: dcf@xxxxxxxxxxxxxx
Date: Wed, 28 Aug 2019 05:59:18 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 28 Aug 2019 01:59:28 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: David Fifield <david@xxxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit c9839e85b66793b6209abf820c2cda8c07ee2157
Author: David Fifield <david@xxxxxxxxxxxxxxx>
Date:   Fri Feb 15 14:29:54 2019 -0700

    Set some safety defaults for fetch.
    
    cache: "no-store"
    credentials: "omit"
    redirect: "manual"
    
    cache: "no-store" adds these headers, which seem fine:
    Cache-Control: no-cache
    Pragma: no-cache
---
 webextension/background.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/webextension/background.js b/webextension/background.js
index ba56e7f..fd39273 100644
--- a/webextension/background.js
+++ b/webextension/background.js
@@ -83,6 +83,7 @@ function roundtrip(id, request) {
     // Process the incoming request spec and convert it into parameters to the
     // fetch API. Also enforce some restrictions on what kinds of requests we
     // are willing to make.
+    // https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch#Parameters
     let url;
     let init = {};
     try {
@@ -107,6 +108,13 @@ function roundtrip(id, request) {
             init.body = base64_decode(request.body);
         }
 
+        // Do not read nor write from the browser's HTTP cache.
+        init.cache = "no-store";
+        // Don't send cookies.
+        init.credentials = "omit";
+        // Don't follow redirects (we'll get resp.status:0 if there is one).
+        init.redirect = "manual";
+
         // TODO: Host header
         // TODO: strip Origin header?
         // TODO: proxy



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [meek/master] New way to disable updates in headless Firefox (63+).
Next by Author: [tor-commits] [snowflake/master] Fix certain attributes to be pixel counts, not CSS dimensions.
Previous by thread: [tor-commits] [snowflake/master] Enforce consistent indentation in js
Next by thread: [tor-commits] [meek/master] Allow overriding the request headers.
Index(es):
- Author
- Thread