-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set declared policy for powerful features to self by default #532
Comments
"this slide" doesn't link to a particular slide for me. Assuming I'm understanding what you are saying correctly, it seems unlikely that at this point we can require everyone to set a If you let attackers insert an arbitrary |
Talking with @clelland after the discussion at TPAC (minutes), I think there's potentially value in letting developers opt-into a stricter mode of permission policy in which they'd need to declare each of the policy-controlled features they'd like to delegate, whether through a header. or meta tag in @shhnjk: You mentioned an incremental plan. Do you have a feel for the features you'd like to start with? Where is the risk highest? |
I think there are 2 initial targets which likely have less cross-origin usages.
For permissions which are used broadly (e.g. Worst case, we can tie the requirement to |
Collecting usage data on these would be helpful. That said,
As a small note on priorities though, which I think we'll need to think about as we spend whatever deprecation budget we have: I'd much rather prioritize ensuring that folks even begin to have the problem you're pointing to by pushing for requirements around injection mitigation. In the short term, it might be reasonable to prioritize some kind of opt-in inversion for properties who care about this risk (but don't care enough to guard frame creation). |
I don't think all of those counts will break, as we will only break cases where cross-origin iframes have requested access to those permissions. But we should collect data on cross-origin usage to be sure.
Right, but the dilemma is that the more we start late, the more it gets difficult to change the default. At least if we can add default self to new (and new-ish) APIs, we will have more hope in the future for the rest. |
Makes sense, collecting data does seem to be a good next step!
Sure. I think it's reasonable to aim for that shift for new APIs. I also think it's reasonable to shift existing APIs in that direction. I'm only saying that getting to a point where this layer matters is more important to me, and if we have a limited amount of time to spend on problems, I'd prefer to spend it there. (We should also collect data on the set of features called on pages with reasonable/better-than-reasonable CSP, of course. That number might be higher than I expect!) |
If the goal here is protecting sites which are willing and able to opt into strict CSP, and deploy a PP header in order to delegate anything (which I believe means that they are capable of setting headers in a general case), I think that we should consider a header-based opt-in, rather than changing the defaults for PP across the board. Would a solution that involved a "set the defaults" directive in the Permissions-Policy header, something akin to Permissions-Policy: *=self, some-powerful-feature=(self https://other.site) potentially work for this scenario? |
Yes that works, but I think I want to push for safe defaults if possible. WDYT? |
Features like WebUSB and WebHID already declare a default allowlist of This has been my recommendation for all new feature authors. |
See this slide for why current structure of Permissions Policy is bad for sites protected by Strict CSP.
For powerful features, we should have self by default in the declared policy in the absence of the Permissions Policy header.
The text was updated successfully, but these errors were encountered: