Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[audioworklet] Enforcing SecureContext on audioWorklet.addModule() #1436

Closed
hoch opened this issue Oct 31, 2017 · 18 comments
Closed

[audioworklet] Enforcing SecureContext on audioWorklet.addModule() #1436

hoch opened this issue Oct 31, 2017 · 18 comments
Assignees
Milestone

Comments

@hoch
Copy link
Member

hoch commented Oct 31, 2017

I don't think we have a broader consensus on this, but it might be worth to discuss it in our WG. Here are related issues from TAG and CSS Houdini TF:
w3ctag/design-principles#75
w3c/css-houdini-drafts#379

In short, the argument is that HTTPS should be enforced on audioWorklet.addModule().

I generally agree with this idea because running JS code on the higher priority thread (audio rendering thread) should take extra caution. We might want to see this as a feature rather than a restriction.

In terms of the spec work, this work needs to be done in the Worklet - not in its variants (Paint/Audio/Animation...). However, if we find a potential issue on it we want to raise a flag before it's too late.

@hoch hoch self-assigned this Oct 31, 2017
@joeberkovitz
Copy link
Contributor

We're closing since we've discussed and it falls to Worklet to decide how this goes... our spec doesn't have to change,

@hoch
Copy link
Member Author

hoch commented Nov 3, 2017

Houdini WG issue: w3c/css-houdini-drafts#505

@annevk
Copy link

annevk commented Nov 24, 2017

I think this should be reopened since it does directly affect your specification. E.g., we shold not expose self.audioWorklet on insecure contexts.

@joeberkovitz
Copy link
Contributor

@annevk Is there a clear writeup of what paint worklets are doing re: this issue? It'd be easier than reverse engineering the intent from Chromium diffs. My guess is that we add [SecureContext] to the audioWorklet attribute definition in AudioContext but I didn't see a flat-out statement in the discussion minutes or bug threads.

Reopening to make sure we track this.

@annevk
Copy link

annevk commented Nov 25, 2017

From https://groups.google.com/a/chromium.org/d/msg/blink-dev/Jex3idOld48/VeOxMUNDBAAJ:

Ship CSS Paint in secure contexts only, and also block future types of worklets (e.g. audio worklet) on secure contexts.

I can state that this also goes for Mozilla.

@annevk
Copy link

annevk commented Nov 25, 2017

(You didn't hit reopen btw.)

@hoch
Copy link
Member Author

hoch commented Nov 27, 2017

E.g., we shold not expose self.audioWorklet on insecure contexts.

@annevk Now we have AudioWorklet interface (which extends Worklet) and it should have the attribute of [SecureContext]. I believe that's good enough.

@joeberkovitz We can add this change to PR #1445 since it's really tiny.

@annevk
Copy link

annevk commented Nov 27, 2017

I believe that's good enough.

The accessor for the worklet itself should have the extended attribute too. Otherwise, what's the processing model for the getter of that accessor in insecure contexts?

@hoch
Copy link
Member Author

hoch commented Nov 27, 2017

I see. Just to confirm: is this correct?

[SecureContext]
interface AudioWorklet : Worklet {}

partial interface BaseAudioContext {
  [SecureContext] readonly attribute AudioWorklet audioWorklet;
}

@inexorabletash
Copy link

inexorabletash commented Nov 27, 2017

Yes, that looks correct to me.

EDIT: Take that with a grain of salt... the spec doesn't currently have an audioWorklet attribute in BaseAudioContext, so I was reacting to tossing the annotation on such an interface member as if it existed.

@inexorabletash
Copy link

... although perhaps AudioWorkletNode should be restricted to [SecureContext] as well, as it's not useful otherwise?

@hoch
Copy link
Member Author

hoch commented Nov 27, 2017

AudioWorkletNode won't be instantiable because there is no way to load the script code via AudioWorklet. Would it still be necessary?

Hmm. Perhaps. The error message will suggests something like "the definition is not registered in AudioWorklet". Referring an object that's not instantiable sounds a bit off.

@inexorabletash
Copy link

inexorabletash commented Nov 27, 2017

Sorry, revising my comment above, it should be:

partial interface Window {
    [SameObject, SecureContext]
    readonly attribute Worklet audioWorklet;
};

No need to add anything to BaseAudioContext, assuming the current spec is correct about where the audioWorklet attribute lives.

@hoch
Copy link
Member Author

hoch commented Nov 27, 2017

Oh, we're moving AudioWorklet under BaseAudioContext.

Thread: #1435

@inexorabletash
Copy link

Thanks for clarifying!. :) Then yeah, as you wrote above.

But if you're really specing it as a partial then this would be preferred:

[SecureContext]
partial interface BaseAudioContext {
  readonly attribute AudioWorklet audioWorklet;
}

... to imply that the partial is not applied in non-secure contexts. If you just used partial for a short explanation in the bug, then applying it directly to the attribute is preferred.

@inexorabletash
Copy link

Referring an object that's not instantiable sounds a bit off.

Agreed. IMHO, the API surface should make sense in each type of context. Having a type exposed in a non-secure context which can't possibly be used there seems weird.

@hoch
Copy link
Member Author

hoch commented Nov 27, 2017

If you just used partial for a short explanation in the bug, then applying it directly to the attribute is preferred.

Yes. That was my intention.

Agreed. IMHO, the API surface should make sense in each type of context. Having a type exposed in a non-secure context which can't possibly be used there seems weird.

Okay, I will raise the issue in the meeting soon. Adding [SecureContext] on AudioWorklet, BAC.audioWorklet and AWN make sense to me.

@joeberkovitz
Copy link
Contributor

I have made these changes in #1445. Reopening this bug and connecting to that PR as the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants