Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New connections and port blocking #889

Open
annevk opened this issue Apr 2, 2019 · 4 comments
Open

New connections and port blocking #889

annevk opened this issue Apr 2, 2019 · 4 comments
Labels
security/privacy There are security or privacy implications topic: connections topic: port blocking

Comments

@annevk
Copy link
Member

annevk commented Apr 2, 2019

When opening a new connection, should port blocking be consulted? Otherwise Alt-Svc and maybe other features can be used to circumvent it.

cc @whatwg/security
@annevk annevk added security/privacy There are security or privacy implications topic: port blocking labels Apr 2, 2019
@annevk
Copy link
Member Author

annevk commented Jan 6, 2021

See also #1118 and #1122.

@annevk annevk mentioned this issue Mar 9, 2021
Open
@annevk
Copy link
Member Author

annevk commented May 25, 2021

And #1191 (comment).

@annevk annevk mentioned this issue May 26, 2021
Open
@ricea
Copy link
Collaborator

ricea commented May 27, 2021

I think so. But I'm not sure what to do when a failure happens at that level.

@annevk
Copy link
Member Author

annevk commented May 28, 2021

I was looking at the algorithm in Fetch and it seemed that if "obtain a connection" did the check nothing would really change in terms of observable behavior.

Although it depends a bit on whether we'd still do CSP checks if we decided the port was blocked. As written though you could be forgiven for thinking both would run.

A notable exception here is WebSocket connections, which is why I tried to tackle that.

But I would also be okay with having the check in both places. The failure would surface the same way as a DNS failure.

@annevk annevk mentioned this issue Oct 12, 2021
Closed
@annevk annevk mentioned this issue Nov 4, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security/privacy There are security or privacy implications topic: connections topic: port blocking
Milestone
No milestone
Development

No branches or pull requests
2 participants
@annevk @ricea