-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions Policy unload #444
Comments
I don't understand why this is being discussed separately for both document policy and permissions policy and maybe I just overlooked it but I can't see a discussion of moving to PP in WICG/document-policy#39. Intuitively it feels well placed in document policy and not something for PP.
But that's only true for the header, right? I'm not sure to what extent it's supported but the required DP for the iframe should be controllable via the |
@johannhof Thanks for the feedback, DP applies only to the specific frame and not to the entire subtree of frames, so a 3rd-party iframe with If that makes sense, I will update the explainer to be more explicit. |
@smaug---- who I missed on the original post. |
I might be misunderstanding something about Document Policy here, but https://github.com/WICG/document-policy/blob/main/document-policy-explainer.md#deeper-nesting describes that mechanism and it seems to contradict what you're saying, and seems to work in the way you'd want for unload handlers. |
Thanks, I had forgotten about the This is not actually standardized based on this and testing it out where I see no That said, if it is implemented, it would prevent loading of subframe entirely if the required header is not present. So PP applies consistently through the whole sub-tree whereas DP will either
This definitely needs to go into the explainer. |
Permissions Policy isn't really for sandboxing features. It's for delegating the ability to request to use a particular feature. If the nested document already has access to the feature it's a poor fit. |
OK but Document-Policy has rather extreme impact on the subtree (or would if implemented). Do you think we should have a version of Document-Policy can recurse nicely on the subtree without causing pages to to fail to load? Or should we have something else entirely? |
That's kind of the point. We don't want to introduce features that can influence the control flow of cross-origin documents without those documents being okay with that. |
The principled argument (which I agree with in general) is that site-A should have no control over site-B's code execution and Separating the implementation (Document-Policy vs Permissions-Policy vs something else) from the principle (site-A should not alter site-B). The argument for making an exception for unload handlers is that they are already being semi-randomly skipped on all mobile browsers and on all WebKit. You could also argue that not running unload is essentially the same as a crash. A weaker argument is that they hurt the whole page, not just the iframe in question. So, implementation aside, how do you feel about the goal of allowing a frame to stop all of its subframe unload handlers? If you're opposed to that, debating how to do it is not useful. |
I'm rather weary of providing all these tiny cross-origin control flow points, although I'll concede that in the case of |
@cdumez @hober Does WebKit have any opinion on this proposal? If anyone has any other ideas for
I would love to hear them. Fairly long-timescale but if we can reduce unload usage enough then maybe we can get rid of unload and this cross-origin control flow ceases to exist. |
I've updated the explainer to add more discussion on the issue of cross-origin control. TL;DR the risk of exploit seems very low, pre-existing and document-domain and sync-xhr had similar risks. |
Note that |
Looking at this from the perspective of an ad server, this would be a useful tool for two reasons:
|
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3750822 Reviewed-by: Ian Clelland <[email protected]> Commit-Queue: Fergal Daly <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Andrey Kosyakov <[email protected]> Reviewed-by: Dominick Ng <[email protected]> Cr-Commit-Position: refs/heads/main@{#1032917}
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3750822 Reviewed-by: Ian Clelland <[email protected]> Commit-Queue: Fergal Daly <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Andrey Kosyakov <[email protected]> Reviewed-by: Dominick Ng <[email protected]> Cr-Commit-Position: refs/heads/main@{#1032917}
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3750822 Reviewed-by: Ian Clelland <[email protected]> Commit-Queue: Fergal Daly <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Andrey Kosyakov <[email protected]> Reviewed-by: Dominick Ng <[email protected]> Cr-Commit-Position: refs/heads/main@{#1032917}
From the perspective of a company that provides a security product that helps protect against malicious activity, a Permissions Policy blocking Our product needs to monitor |
…testonly Automatic update from web-platform-tests Adds `unload` to Permissions-Policy. This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3750822 Reviewed-by: Ian Clelland <[email protected]> Commit-Queue: Fergal Daly <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Andrey Kosyakov <[email protected]> Reviewed-by: Dominick Ng <[email protected]> Cr-Commit-Position: refs/heads/main@{#1032917} -- wpt-commits: c4ad1de47c85a65efde93aae9362359475fac31a wpt-pr: 35242
This is now available as an Origin Trial in Chromium 107 (entering Beta shortly). If you would like to try it out, docs are here and you can get a token. |
This policy controls whether unload handlers can be set. See w3c/webappsec-permissions-policy#444 Bug: 1324111 Change-Id: Ia7c418e7ca3131f5102fde407011e00048a94182 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3750822 Reviewed-by: Ian Clelland <[email protected]> Commit-Queue: Fergal Daly <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Andrey Kosyakov <[email protected]> Reviewed-by: Dominick Ng <[email protected]> Cr-Commit-Position: refs/heads/main@{#1032917} NOKEYCHECK=True GitOrigin-RevId: 5c436e20b6d923241eadd2afe8b846ed32d46eea
@fergald it's very weird that Google.com and YouTube.com are still using
|
@alexsch01 Google is a huge organization, you will likely find many more examples. |
We (chromium) would like to propose an unload permissions policy to help sites migrate away from use of unload handlers. TL;DR this header allows disabling firing the unload event on frames and subframes.
This was previously discussed in WICG/document-policy#39
The main motivation for this is that they are a large blocker of BFCache on desktop, they are a footgun (often don't fire on mobile) and in general there are better alternatives for (hopefully) all use cases.
We know that many sites are not in a position to use this header immediately, 3rd party iframes often use unload but this lets us make a start. We have reached out to some well-known iframe providers, asking them to remove their unloads. Once they do, they can guarantee remaining unload-free by shipping this header.
@rakina @clelland @chikamune @annevk @johannhof @craigfrancis
The text was updated successfully, but these errors were encountered: