A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

Initiating tag header for img,script,link,and other tags that load resources

Eric_Twilegar
2020-11-17

Recently I dealt with Subresources integrity (SRI) and Cors issues.

One concern that seems to keep coming up year after year is that SCRIPT, IMG tags can hit random resources on the web and that can cause the browser to leak information or cause cross site exploits of various types including an img tag deleting a record on a server someplace.

On the server side all these requests look just like any other. For ajax ( XHR ) requests we actually do get a header that specifies that the request is coming that way. I suppose IMG tags generally have a referrer but it isn’t much.

I suppose adding a header would cause a ton of internet traffic but it would allow servers to know that a browser ( unmodified anyways ) was making a request say to ://mysite.com/login inside of an IMG tag and return a 403 or 405 ( maybe a new standard status code is order ) and just shut the whole request down.

Basically a new http header like " x-initiating-tag: IMG ". Might even allow certain reporting on the server side so we can see what requests might need to go to a CDN etc etc.

This should not require any changes to http and should be non breaking as servers that don’t care about the header would simply ignore it.

Malvoz
2020-11-17

This sounds a lot like Fetch Metadata Request Headers.

I.e. Sec-Fetch-Dest: image?