Impact on same-origin policy

[annevk]

These new headers increase the size of an HTTP request and coupled with attacker-controlled headers or header values could be used to carry out certain cookie-size sniffing attacks.

Privacy measures in browsers might invalidate some of these attacks, but the privacy boundary is typically not the origin, at least in today's implementations.

[miketaylr]

Attaching some additional context, indirectly via @annevk:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1447631
• Limit the length of the Referer header whatwg/fetch#903
• Strengthen requirements on CORS-safelisted request-headers whatwg/fetch#736

[yoavweiss]

Looking at table 2 in the paper quoted in that Bugzilla issue, it seems like the underlying concern is that we need to make sure that overall request header sizes should be below 8KB in order for them to be CORS safe.
The specific vector described to distinguish 200 from a 400 was since fixed, but maybe there are others.

This issue seems to be impacting all new request headers, not just UA-CH, or even CH in general. e.g. Sec-Fetch-*
/cc @mikewest

We cannot place a CORS cap on the overall request headers size, as this would create its own side channel. At the same time, we can (and looks like we have) add a cap on the overall size of safe-listed headers, as 1024.

So, if I'm reading this correctly, UA-CH and other safelisted headers don't impact same-origin policy beyond running a risk of triggering a preflight, if the list gets too long. Is that correct?

[annevk]

Well, it's unclear, because it's not defined how UA-CH et al work. (And there are no preflights for navigations, note.)

[yoavweiss]

We cannot place a CORS cap on the overall request headers size, as this would create its own side channel. At the same time, we can (and looks like we have) add a cap on the overall size of safe-listed headers, as 1024.

@annevk - reviving this part. Would it make sense to add a cap on the size of safelisted headers added per request? such that if someone is adding all the Client Hints, they run a risk of triggering preflights, but that won't be an issue in the typical case?

[annevk]

I think coupled with Sec-* that would indeed address the concern. It's a bit unclear to me how that would work in practice. And there's a problem with navigations as those don't do preflights at the moment.

[yoavweiss]

Should we move this to client-hints-infra? This doesn't seem specific to UA-CH