Web Packaging Format #29
Comments
|
Concerns (non-exhaustive):
|
|
FWIW, today I was asked about this by Yoav and a few Googlers. |
|
Just noting the use of web packaging and AMP (blog post). We should evaluate what this means exactly and how web packaging addresses concerns around AMP. |
|
This isn't a complete answer to @hsivonen's concerns, but I figured I'd point you to the up-to-date proposals before you re-review anything: https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html is additional HTTP-level metadata to receive exchanges without talking to the origin server. It's the piece that we think is most immediately useful for AMP. It proposes a way for browsers to opt into CDNs pushing cross-CDN content, although @yoavweiss suggested a second way that I haven't analyzed or written up yet. WICG/webpackage#98 is the start of the MHTML replacement, and the PR lists a couple ways that it improves on MHTML. https://tools.ietf.org/html/draft-yasskin-webpackage-use-cases-00 has a more complete list of use cases, and was published in August. |
|
See also @ekr's comment at #53 (comment) |
|
I'm finding myself a bit confused about which standards body this document seems to think it's targeted at. The link above is to a WICG repo but it's clearly an IETF draft. |
|
There are several pieces: signed exchanges are aimed at the IETF; bundles are either aimed at the IETF or the WICG depending on conversations at IETF101; and the specification about how browsers load both of those, expose them to service workers, etc., will definitely go through the WICG. The whole thing is in a WICG repository because at the beginning it wasn't clear that I should bring signed exchanges through the IETF. |
|
On the question of venue, it is pretty clear to me that addressing the architectural questions this work raises is something that both the IETF and W3C might have input on. I would not be happy unless both bodies agree that this is worthwhile. I'm happy that this is going to the IETF. The question of what this does to HTTP is one that they need to address. That's necessary, but not sufficient. Even if the IETF agreed that this is a reasonable solution, the W3C might have grounds to object. We know that the TAG has already made a statement about one of the use cases that this enables; I expect them to have more to say. Personally, I think that this is potentially very harmful, and it's not clear what would be required to address that concern. The way that this is set up suggests a range of use cases, but if just one of those has the potential to do significant damage to the ecosystem, we need to address that harm. We should mark this harmful until we can be convinced otherwise. |
|
I found the last paragraph of @ekr's post quite convincing in terms of showing that this is problematic since it changes what our security indicators mean in fundamental ways. On the flip side, I think it's pretty important for a bunch of things:
It's not clear to me what the path forward is; does any approach to packaging necessarily have this problem, or are there ways to avoid them? Does avoiding them require a new state for our security UI? |
|
If you don't couple packaging with distributing content from a different authority it seems you could have packaging sans signing as a new kind of delivery mechanism; that might be enough for 1 and 3 of your list, but not 2 I suspect. |
|
@annevk Yes, and that's the bundling spec that's separated out from the signed exchange spec. |
|
My problem here is primarily with origin substitution. I'm actually fine with signing and offline I suggested a beefed up version of SRI-caching to @jyasskin as an alternative to this. I think the primary question at hand is whether there is a standalone mechanism where the client gets content displayed as origin X without any direct contact at all with X. |
|
To @ekr's point the introduction to draft-yasskin-http-origin-signed-responses-02 clearly states that "When signed by a certificate ([RFC5280]) that’s trusted for an origin, an exchange can be treated as authoritative for that origin, even if it was transferred over a connection that isn’t authoritative (Section 9.1 of [RFC7230]) for that origin." Using signed HTTP exchanges to enhance the security of accessing a resource or verifying its authenticity seems like a good thing; but it seems positively harmful to use signed HTTP exchanges as a replacement for the longstanding web security model (e.g., RFC 6454 as Ted Hardie points out at https://lists.w3.org/Archives/Public/ietf-http-wg/2018JanMar/0079.html). I suggest that we let the discussion on the HTTP WG list play out further, and see how @jyasskin modifies his I-D in response to ongoing feedback. |
|
Based on the conversation so far, I plan to enter a "harmful" with a summary of the concerns expressed above in the "position detail" field, along with an explanation that Mozilla would likely support a webpackaging proposal if such concerns could be addressed. Please respond by the end of this week if you object to this course of action. |
|
So #53 has been merged. Are there other parts of Web Packaging that we should document positions on, or should this be closed (at least for now)? |
|
You could document a position on bundles, but it's probably premature until that's at least published as an IETF or WICG draft. I expect to come back with answers to the concerns above, based on either https://tools.ietf.org/html/draft-yasskin-http-origin-signed-responses-03 (published today) or the discussion at IETF101 in 2 weeks, but I'm happy to reopen the issue when I've written that appeal. |
|
Given that we've surfaced the position for what can be surfaced, I'm closing this issue. |
|
@adamroach it seems we only list Signed HTTP Exchanges. Should we list Web Packaging separately? |
|
@annevk -- It sounded like the proponents of that work weren't quite ready to make their case. If you think it's ready for evaluation, open an issue, pointing to the relevant document. |
|
If you add one, it should probably be "Bundles". Web Packaging groups the two ideas. I probably will put both into the same Fetch integration spec, hopefully in the next couple months. |
|
We, Chrome team, would like to re-open Mozilla's standards position on Signed Exchanges given the updates to the specifications (https://tools.ietf.org/html/draft-yasskin-http-origin-signed-responses-05 and https://wicg.github.io/webpackage/loading.html) that have happened since the position was established. Mozilla's current documented objections are:
We are struggling with objection (1) because it doesn't describe any concrete harm caused by the change, especially since the authoritative server's content has plenty of opportunity to contact its server after the content loads. We haven’t heard more details on the thread where that concern was originally expressed. We believe that Objection (2) isn’t a significant change from the status quo when considering more of the stack than just TLS, as described in https://lists.w3.org/Archives/Public/ietf-http-wg/2018JanMar/0089.html and https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#privacy-considerations. EKR also suggested an SRI-based solution, which I tried to write up in https://jyasskin.github.io/sideloaded-exchanges/draft-yasskin-httpbis-sideloaded-exchanges.html. We haven’t heard any feedback on that draft yet. It’s unclear if our attempts at understanding or resolving the concerns are missing the point or are otherwise inappropriate, or if this is an issue of finding the time or a good person to review. We acknowledge three important reductions in security relative to TLS, which we've tried to mitigate, and for which we’d love your help, both for evaluating the mitigations and improving them.
We are looking forward to your response. |
|
Hi @jyasskin, just acknowledging your request here. I'm working on getting you an answer. Understand that this is not a very high priority for us, and there is a lot of complexity. It might take us a while to get back to you. |
|
Has @hsivonen's objection been addressed? Specifically the one about layering on top of CBOR, which has undefined anything-goes error handling. Even though I suspect it's not anyone's primary objection, this seems like a serious future interop hazard that could be fixed (if it hasn't been already). |
|
@othermaciej I've approached @hsivonen's objection by sending patches to the next version of CBOR, which you can find at https://cbor-wg.github.io/CBORbis/draft-ietf-cbor-7049bis.html. We're much closer to "good" error handling there, in that the web packaging specs can say "if the CBOR is not valid, return a network error", and have that mean the right thing, but I wouldn't yet bet that we're all the way there. CDDL also has some issues along these lines. |
|
Here is our updated position paper, which reaffirms our position: https://docs.google.com/document/d/1ha00dSGKmjoEh2mRiG8FIA5sJ1KihTuZe-AXX1r8P-8/edit?usp=sharing This is based on the current state of the documents. We understand that this work continues to progress. Importantly, we hope to get more information from the upcoming ESCAPE workshop. |
|
Also worth noting the version of the above position paper that was submitted for the ESCAPE workshop. (Also PDF rather than Google Docs.) |
|
Is there any update on the Mozilla Position on Signed HTTP Exchanges? I think there was some progress in the discussion at IETF during the one year . |
|
@horo-t, we hope Mozilla will not cave in to Google's attack on the open web, but thank you for asking. |
Request for Mozilla Position on an Emerging Web Specification
Other information
It will allow people to bundle together the resources that make up a website, so they can be shared offline, either with or without a proof that they came from the original website.
Repo: https://github.com/WICG/webpackage
The text was updated successfully, but these errors were encountered: