getViewportMedia(): Let pages opt-in to capture #1
Comments
|
Chrome Security shared the view that a confirmation-only flow would require security measures roughly in line with what you suggest (that is - opt-in). I'd love to resume this conversation and try to agree on the details. The way I see it, we have two new requirements - (1) site-isolation and (2) a new header. We think the new header should apply to documents. Site-isolation will allow sub-resources to opt into being captured by their document, and the new header will allow one document to opt into to being captured by another. Embedded documents will also be opting in on behalf of the sub-resources which they embed. Rationale for applying the header only to documents:
For the shape of the new header, I think it would be useful to first decide what we expect the behavior to be. I think that it's important that failure of a document to opt-in using the header would not prevent loading the document, but rather, it would (1) break off on-going captures and (2) prevent the initiation of new captures. One rationale for this choice is the expectation that for most applications, flows involving screen-capture are not the primary flows. Especially screen-capture initiated via gCBCM. For example, in Google Slides, editing slide decks, reading decks written by others, commenting on decks, etc., are much more common use cases than sharing using gCBCM. It would be preferrable to keep these flows intact 100% of the time, at the cost of (rarely) breaking off a gCBCM-initiated capture. I expect the majority of other applications will see things similarly. If we agree on the above (suppress capture instead of prevent loading), then we need a new header that lends itself to such behavior. This rules out document policies, at least in their current form, because they prevent loading of non-conforming documents. Feature-policies, I think, could be bent to work here. It would require that we use two policies, and that we use the second one creatively, but I think it will work, and will spare us the need to define something new.
Wdyt? |
@elad Great to hear! — To clarify, By "site-isolation" do you mean COOP+COEP or just COEP? — I don't think COOP matters here, except making it simpler to talk about perhaps (mapping 1-1 with window.crossOriginIsolated).
I shudder using Spectre as a reason, but probably true. 👻 I think I'm ok with it. I wasn't planning to require headers for resources either. cc @annevk @mystor To clarify what we're talking about, these are resources that set E.g. "image2 canvas data CANNOT be read" in this example ( But I'm not 100% sure this isn't a problem. Are there sites out there serving personal info from cookies this way, relying on it being opaque? — A malicious site tricking a user for this permission could quickly steal personal info from all over the web this way. But as you point out, the same malicious site could use Spectre for this today without permission. |
Most common maybe, but != most important IMHO. Having just spent days prepping a presentation, I can confidently say the time most important to me to not break would be during the final presentation in front of an online audience. 🙂 I think I'd much prefer it break during preview, when there is still time to fix things. At the risk of sounding presumptuous, if this feature works out, it might quickly become the most important target for Google Slides, at least during this pandemic. But behavior seems orthogonal to the shape of headers to me. E.g. I don't see why we couldn't treat
It's "Permissions policy" now, and the Mozilla position on the HTTP headers part is still lukewarm. We only implement the iframe part FWIW.
Is this a requirement? Wouldn't you use In any case, going "up" the tree would go against every other permissions policy, and there would be no analogous Why not |
|
https://github.com/w3c/mediacapture-screen-share/issues/155#issuecomment-801493527 talks about site isolation, but do you mean cross-origin isolation, i.e., requiring COOP+COEP? It would help to see something more flushed out. Once you have COOP+COEP the main risk that remains (as Nika mentioned) is controls and such that might capture user state. Or |
|
From meeting (slide):
|
We did not really talk about that. |
So |
|
We have HTMLMediaElement.captureStream. |
I see your point about COOP not being strictly necessary, but Chrome Security believes it would be less confusing to developers if feature requirements fall into one of a small number of buckets, and are not mixed-and-matched on a per-feature basis. I suggest we start out with COOP+COEP and relax later if appropriate, and I think you suggest the same.
The Glitch sample is very useful for people who, like me, are making their first steps with COOP/COEP/etc. I'll be referring others to it. Thank you for setting it up! I understand how CORP-without-ACAO, meaning the resource is embeddable but not readable, sounds problematic. But IIUC, a malicious document could use Spectre to read any embedded resource anyway, meaning CORP-without-ACAO would not really protect against a malicious document - only make legitimate sites' lives harder. Please correct me if I am wrong, though.
My own opinion is still that killing capture would be preferrable, but Chrome Security has expressed the opinion that, should
Please forget my earlier reference to permission-policy; it's no longer relevant. I am not entirely opposed to
There is a finite set of user-data mining opportunities presented by either gVM/gDM. I think we should, separately, identify them and come up with proposals for what a user agent SHOULD/MAY do while a capture is active in order to protect the user's privacy. Note, however, that the user might actually be intending to share these, e.g. if receiving support from a trusted relative. I think it would be good to leave the final decision to individual UAs.
Exposing just the context (and its children) would make the feature equivalent to Clipping to the dimensions of a given element, on the other hand, is something Chrome is very much interested in following up on later as issue w3c/mediacapture-screen-share#158. (Please ignore crop-ID vs. transferability vs. other solutions for the time being.) Btw, perhaps we should save non-security topics for issue w3c/mediacapture-screen-share#148 (everything getViewportMedia-related other than security) and issue w3c/mediacapture-screen-share#158 (cropping/clipping). Wdyt? |
|
To expand a bit on Chrome security position regarding capture opt-in, we see this as a larger problem of APIs that might leak data from cross-origin resources at the page-level. So whatever we come up with, we would really want the mechanism to be reusable for other APIs with similar security impact. We have determined that requiring crossOriginIsolation is not enough for such APIs, as the threat model for crossOriginIsolated is APIs that might leak data at the agent cluster level, and not the page level (because the threat is a Spectre attack that is mitigated by out-of-process iframes and we don't want to lower this protection). Concretely, this means we need an additional opt-in from cross-origin frame. Note that this rests upon the assumption that COEP ensures that subresources loaded by the cross-origin iframe have either shared their content with the cross-origin iframe through CORS or opted-into being loaded in a potentially dangerous environment by setting CORP cross-origin. Because of this, we can take the opt-in of the cross-origin frame as an opt-in by the subresources without them having to individually opt them in as well. The iframe could after all just send the content of subresources loaded through CORS to other frames in the page through postMessage, and resources with CORP cross-origin have opted into being loaded into a dangerous environment (ie an attacker could load them directly in a crossOriginIsolated environment and do a Spectre attack on them). What's important for us is not leaking the iframe content, which is why we need an opt-in. We also believe that the enforcement of the opt-in should be blocking load rather than disabling the feature. If we imagine extending this mechanism to other APIs, going with a disabling model means every single feature must implement a way to disable itself in the middle of execution if a cross-origin frames loads that has not opted into the API. This is likely to result in bugs leading to security issues as opposed to blocking the load, which is safe. Not to mention that we have issues with race conditions, as we must prevent execution of an API in one frame in response to a navigation in a cross-origin frame, two events that are asynchronous. That enforcement must be applied to every frame in the page, which essentially means that it needs to be required by the top-level frame in its response headers and will not change over the lifetime of the document (or we run into potential race conditions between frame creation and requesting access to the API). With this in mind, we see two potential solutions.
We would be a bit more partial to something like: If we go that route, we should also define a Fetch Metadata request header to inform the server of the COEP required by the parent, like: Our main issue with this solution is that it ends up mixing two concepts in the same COEP header: the policy to apply to the resources a document embed and an opt-in for APIs.
Basically, we define an html-capture DocumentPolicy (off by default) and only allow the API to be used if the top-level frame sends a The issue with that solution is that the opt into the APIs is now split over two mechanism, crossOriginIsolated and DocumentPolicy. Now, do we require just COEP for page capturing, or crossOriginIsolated? From a security perspective, for page capture, COEP is sufficient. Since it is scopped to a page, COOP doesn't apply. However, as Elad mentioned, we are concerned about creating very different ways to have access to various APIs. Right now, we have:
Finally, crossOriginIsolated is currently exposed to the web, while the COEP status of the page isn't. If we go with extending COEP headers, we probably need to expose it so that developers can query which API they have access to. @arturjanc and @letitz who have also been looking at this. |
|
@camillelamy thanks for the concise writeup! I think I agree with most of it.
If it helps, I still see it as a policy applied to iframes, creating different (risk) environments, not tied to any one feature, much like it's not called Consider if we renamed it: I.e. pages opt into different risk profiles, enabling one or perhaps more features like getViewportMedia. But I'll concede that the original premise behind COEP might have been solely to create less risky environments. cc @annevk |
|
@jan-ivar I agree that the goal of COEP is to get pages to opt into environments with different risk profiles. I am just wondering how easy it is to communicate this risk profile to the developer. Probably, we need to work on the wording, as I am not super fan of what To be clear, we are ok with a COEP based solution, as long as we envision several risk profiles being supported there. For example |
|
@annevk Do you have some opinion on the right mechanism here? In Chrome, I think we're a bit more in favor of using required Document Policy + crossOriginIsolated. However, an approach using COEP + crossOriginIsolated can also work. |
|
I think if it doesn't affect subresources (as seems to be the case), something like Document Policy might be more appropriate. Mozilla hasn't really taken a stance on Document Policy though and it's currently in WICG for that reason. I'll see if others have thoughts. I have a question though, what about user state leaked in other ways, such as form controls or |
The plan is to rely on permission prompting and privacy indicators, and a list of other items here — Any kind of sanitizing risks creating an ad-blocker blocker mode. There's some pushback on the visibility requirement, since there are use cases of capturing e.g. a Google slides presentation in another open tab, without leaving the Google Meet tab, and basically remote-control the presentation with "next page", "previous page" commands out of band from there. Both Chrome and Firefox (behind a pref) support capture of tabs that are in the background today FWIW. |
Pushback on visibility requirements placed on Speaking of requiring visibility for gVM, I do think it would be counter-productive.
Taken together, these mean that attacks are possible immediately or never. Capture persisting after loss of visibility, does not enable new attacks. But maintaining the capture when visibility is lost does increase usability, even for gVM. The user can tab away and double-check a fact on Wikipedia without interrupting the call or alerting remote participants to their interaction with other tabs. ¹ Attacks that have been discussed thus far, that is. If new attacks are presented, I will recant. |
|
I don't think a requirement that the capture stops when the tab goes into the background brings that much in terms of security. Attacks that we are worried about can be accomplished by embedding an iframe at very low level of visibility, making it unnoticeable for the user even if the tab is in the foreground. I think it is important that the tab is in the foreground when the permission to share it is asked though. |
Has this been discussed out-of-band by any chance? (@annevk?) |
jan-ivar
changed the title
|
Update on blockers:
|
|
Once Document Policy has a proper name (that would also affect the name of that header) I would be okay with it as well. See WICG/document-policy#26. |
|
@camillelamy @annevk Note, the WG went with |
|
I don't care particularly strongly. What's not entirely clear to me is whether Document Policy is still something Google is pursuing. E.g., w3c/webappsec-permissions-policy#444 (comment) does not inspire much confidence. |
|
I am ok with the new name. Required Document Policy is something we are interested in pursuing, provided there is some use case that requires it. Capture could be such a use case. In particular, we do believe that the mechanism could potentially be useful for security checks like opt into tab capture, but it may be true that it is less useful for performance optimizations. |
Compared to native, capturing a web page has been plagued by security concerns since this spec's inception. Can we imagine a web that's safer to screen-capture, similar to a web where
SharedArrayBufferis safer to use?What if we came across a page that met these conditions? We could remove restrictions added for the legacy web, both for some choices in the existing
getDisplayMediaand new APIs like the proposedgetTabMediagetViewportMedia.One idea for such opt-in is
Cross-Origin-Embedder-Policy: require-corp; html-capturecovered in slides here.I'm opening an issue to discuss this independent of those APIs. Note it only covers the cross-origin issue. Permissions are still needed to cover user information harvesting.
I've also created a COEP playground in glitch ([1], [2]) for those unfamiliar with the concept and want to experiment with it.
The text was updated successfully, but these errors were encountered: