PSA: Enforce CORS for favicons
144 views
Skip to first unread message
Jiacheng Guo
Sep 22, 2022, 11:43:52 AM9/22/22
to blink-dev, Tsuyoshi Horo, Javier Garcia Visiedo
Contact emails
Specification
Summary
Enforce the CORS policy specified in <link rel="icon"> labels.
Currently chrome always use no-cors mode when fetching favicons even if cross-origin attribute is specified. The browser shall follow the cross-origin attribute.
Currently chrome always use no-cors mode when fetching favicons even if cross-origin attribute is specified. The browser shall follow the cross-origin attribute.
Blink>SecurityFeature>CORS
Debuggability
If a favicon fetch fails with a CORS error, it will be reported on the developer tools.
Yoav Weiss
Sep 22, 2022, 11:53:21 PM9/22/22
to Jiacheng Guo, blink-dev, Tsuyoshi Horo, Javier Garcia Visiedo
Hey Jiacheng!
What are other browsers doing on that front?
While I agree that this is not strictly web exposed (and hence doesn't really fit the "intent to ship" mould), this is something developers need to be aware of.
On Thu, Sep 22, 2022 at 5:43 PM Jiacheng Guo <g...@chromium.org> wrote:
Contact emailsSpecificationSummaryEnforce the CORS policy specified in <link rel="icon"> labels.
Currently chrome always use no-cors mode when fetching favicons even if cross-origin attribute is specified. The browser shall follow the cross-origin attribute.Blink>SecurityFeature>CORSDebuggabilityIf a favicon fetch fails with a CORS error, it will be reported on the developer tools.
Can you also report such failures as Deprecation Reports?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d0e9454f-62c1-4c43-a1e1-2b39743062bbn%40chromium.org.
Jiacheng Guo
Sep 25, 2022, 9:12:52 PM9/25/22
to blink-dev, Yoav Weiss, blink-dev, Tsuyoshi Horo, Javier Garcia Visiedo, Jiacheng Guo
Hi Yoav
Thanks for your advice!
Firefox will block the icon and report a CORS failure while safari will load the icon.
I agree on adding Deprecation Reports for blocked icons.
On Friday, September 23, 2022 at 12:53:21 PM UTC+9 Yoav Weiss wrote:
Hey Jiacheng!What are other browsers doing on that front?While I agree that this is not strictly web exposed (and hence doesn't really fit the "intent to ship" mould), this is something developers need to be aware of.On Thu, Sep 22, 2022 at 5:43 PM Jiacheng Guo <g...@chromium.org> wrote:Contact emailsSpecificationSummaryEnforce the CORS policy specified in <link rel="icon"> labels.
Currently chrome always use no-cors mode when fetching favicons even if cross-origin attribute is specified. The browser shall follow the cross-origin attribute.Blink>SecurityFeature>CORSDebuggabilityIf a favicon fetch fails with a CORS error, it will be reported on the developer tools.Can you also report such failures as Deprecation Reports?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Yoav Weiss
Sep 25, 2022, 9:33:06 PM9/25/22
to Jiacheng Guo, Andre Bandarra, blink-dev, Tsuyoshi Horo, Javier Garcia Visiedo
+Andre Bandarra FYI
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Reply all
Reply to author
Forward
0 new messages