-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Partition WebSockets Limits to prevent side channels #19990
Comments
@goodov can we get a testplan for this when you get a chance? Thanks! |
@pes10k wdyt about adding a test page for WebSockets limits? A manual testing can have many steps here and it's not easy to get all expectations from different frames in a quick manner. |
I've requested that devops create a websocket server we can use here. That issue is here: https://github.com/brave/devops/issues/6722 Once the above issue is complete, i can implement a QA test |
Verified using
Confirmed able to run the web sockets test on https://dev-pages.brave.software/network-state/web-sockets.html with default shield settings: Confirmed when shields are down more than 10 connections can be created on the same page: Confirmed able to run the test (with shields up) on both of the following pages simultaneously: Verified Brave | 1.36.90 Chromium: 98.0.4758.87 (Official Build) beta (64-bit) Scenario 1: Visited https://dev-pages.brave.software/network-state/web-sockets.html Scenario 2: Visited https://dev-pages.brave.software/network-state/web-sockets.html Scenario 3: Visited https://dev-pages.brave.software/network-state/web-sockets.html Verification
Confirmed able to run the web sockets test on Confirmed when Shields are down more than 10 connections can be created on the same page: Confirmed able to run the test (with Shields up) on both of the following pages simultaneously: |
I'm currently opening around ~45 web socket connections from an extension and being hampered by this limit recently. We haven’t noticed any problems with unpartitioned pools with our extension so far, so would be interested in your appetite to increase the limit - it looks like this has been considered previously. Given Chromium extensions have to pass a review process prior to publishing, an alternative might be to lift the cap for an application in the extension environment entirely. However, unpacked extensions might be an exception to this rule. |
cc @pes10k would like to hear your opinion here. I believe technically we can ignore/increase the limit for extensions. |
Sure, extensions already have global / unpartitioned storage, so imposing the limit on extensions isn't useful. That said, i think this (~45 parallel websockets w/in the same partition) is a pretty tail case. If we can easily remove the limitation for extensions (say 1-2 days of work) i think its worth doing. Otherwise, i think its a P4 or P5 kind of thing (it'd be good to address, but its low priority, given other tasks) |
@jonathanpdunne |
@goodov looks like it's fixed! Big thanks for attending to this issue, really appreciate it. |
Currently WebSockets have a large global limit in the Chromium. This limit is shared by all open sites. Trackers on those sites can use this limit to communicate across site boundaries, and so track users across the web, circumventing many of Brave's partitioning protections.
To prevent the most dangerous forms of this attack (attacks that target the largest limited-but-unpartitioned pools in Chromium), Brave should do the following:
Once this is done for websockets, we could look for other connection pools and global limits to apply similar mitigations to.
The text was updated successfully, but these errors were encountered: