Use "least restrictive" directive instead of prefetch-src
#582
Conversation
When prefetching a resource (or preconnecting to an origin), the destination of the request is unknown and also not important. e.g. if this resource is a script and would be disallowed by `script-src`, the directive would be invoked again when the response is about to be consumed and would be rejected then. The only security measure valid for prefetch/preconnect is to avoid exfiltration - i.e. block the request when the default directive blocks this URL and no other directive allows it. Closes w3c#542
| @@ -2703,74 +2701,6 @@ this algorithm returns normally if compilation is allowed, and throws a | |||
|
|
|||
| 4. Return "`Allowed`". | |||
|
|
|||
| <h4 id="directive-prefetch-src">`prefetch-src`</h4> | |||
There was a problem hiding this comment.
I think you'll also need to modify https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request and https://w3c.github.io/webappsec-csp/#directive-fallback-list.
I will add a non-handwavy thing for preconnect in fetch, no need to handwave. Probably create a "fake" request just for the purpose of checking it against the policy. I don't know if |
|
|
OK then. |
|
(Defining |
Totally, it's on my list after we finish |
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Waiting for a response from Mozilla folks to this Standards position comment, and for Apple's position on some of the details. I wanted to reach a bit of consensus before proceeding to the tests, but perhaps this is a good time. |
Instead of relying on `prefetch-src`, we rely on the least restrictive directive in the policy. Tests w3c/webappsec-csp#582
Tests: web-platform-tests/wpt#37715 |
There was a problem hiding this comment.
Thanks, @noamr. I'm happy with this PR based on the tests you linked and WebKit's apparent approval in WebKit/standards-positions#114 (comment).
You'll need to join WebAppSec to make the IPR bot happy. Perhaps you can take care of that before I land this?
Done |
SHA: 54ae572 Reason: push, by mikewest Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
It was removed by CSP: w3c/webappsec-csp#582.
w3c/webappsec-csp#582 dropped prefetch-src from the CSP spec.
w3c/webappsec-csp#582 dropped prefetch-src from the CSP spec.
w3c/webappsec-csp#582 dropped prefetch-src from the CSP spec.
As per w3c/webappsec-csp#582, prefetch-src has now been deprecated.
When prefetching a resource (or preconnecting to an origin), the destination of the request is unknown and also not important.
e.g. if this resource is a script and would be disallowed by
script-src, the directive would be invoked again when the response is about to be consumed and would be rejected then.The only security measure valid for prefetch/preconnect is to avoid exfiltration - i.e. block the request when the default directive blocks this URL and no other directive allows it.
Closes #542