Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider integrity enforcement of iframe #21

Open
shekyan opened this issue Dec 14, 2015 · 23 comments
Open

Consider integrity enforcement of iframe #21

shekyan opened this issue Dec 14, 2015 · 23 comments

Comments

@shekyan
Copy link
Contributor

shekyan commented Dec 14, 2015

I can see enforcing integrity of iframe source can be useful when dealing with non-trusted origins.

@annevk
Copy link
Member

annevk commented Dec 15, 2015

How would this work with navigation of the contents? Or even the initial creation of <iframe> which will always load about:blank.

@shekyan
Copy link
Contributor Author

shekyan commented Dec 15, 2015

It shouldn't. The way I see it is that integrity is checked for primary resource loaded with response code 2xx. (browsers can be helpful there and show supported digests of the content in "view source" tab). Once navigated away - let it load whatever. Integrity can also be checked if initial load is from data:, file:, filesystem:.

@adon-at-work
Copy link

👍 for supporting iframe integrity enforcement

as long as multiple integrity values are supported as documented in the spec, hash values of empty page (be it about:blank) and any allowed page navigations can be put all there as a whitelist.

@dlongley
Copy link

This would be tremendously useful for "mediator" polyfills that need to run on third party websites. For example, for the Payment Request and Payment Handler APIs.

@annevk
Copy link
Member

annevk commented Sep 21, 2017

This also fails badly for cross-origin <iframe> as integrity requires CORS, whereas navigation (which is what <iframe> uses) never uses CORS. I don't think this feature is really doable.

@mikewest
Copy link
Member

mikewest commented Sep 21, 2017

@annevk: Never uses CORS, you say? I actually do want to change that for unrelated reasons in https://wicg.github.io/cors-rfc1918/, at least for preflights. If it's something you have fundamental objections to, we should talk. :)

@annevk
Copy link
Member

annevk commented Sep 22, 2017

I think the main problem is that CORS is about sharing content, but that's not really applicable in the <iframe> scenario. We would never want to grant cross-origin access to node trees. Using just CORS preflights seems somewhat reasonable, but a bit hackish as well. A dedicated signal might be more appropriate (especially if such servers could expect actual CORS traffic as well).

@annevk
Copy link
Member

annevk commented Sep 22, 2017

On closer inspection it seems you're already using new headers so it's likely fine. So then it's not really CORS.

@mikewest
Copy link
Member

I think the main problem is that CORS is about sharing content, but that's not really applicable in the <iframe> scenario. We would never want to grant cross-origin access to node trees. Using just CORS preflights seems somewhat reasonable, but a bit hackish as well. A dedicated signal might be more appropriate (especially if such servers could expect actual CORS traffic as well).

I'd appreciate feedback on the high-level design in that spec, as I'm hopeful we'll actually be able to start implementing it in late Q4.

For this bug, though, I would like to find a way to ask for integrity guarantees on frames. In particular, I'd like Doubleclick to be able to ensure that advertisers load a specific, audited HTML page when framed. That seems valuable. We ask for CORS on subresources because we'd otherwise expose content cross-origin: I'm not sure the same is true for frames, as I don't think we expose an error event on <iframe>. We're left with leakage issues like window.length, I suppose... but that seems like something we need to break regardless.

On closer inspection it seems you're already using new headers so it's likely fine. So then it's not really CORS.

It's like CORS++.

@annevk
Copy link
Member

annevk commented Sep 22, 2017

(You frame CORS as if it's a prevention mechanism. It's not, it enables things that are otherwise forbidden.)

A worry with CORS for <iframe> is that there is a mismatch in expectations. Once you enable CORS for such content, but the node tree still cannot be accessed, folks might incorrectly assume they're safe somehow. Another worry is that an <iframe> holds a browsing context which can be navigated from all over the place. That makes it hard to defend with CORS and integrity unless we also prevent further navigation somehow. And a final worry is that navigation is already extremely complex and very poorly defined. Each time we add more complexity to it we get further from truly understanding it and ensuring it's not actually broken.

@mikewest
Copy link
Member

(You frame CORS as if it's a prevention mechanism. It's not, it enables things that are otherwise forbidden.)

SRI's reliance on CORS is as a prevention against unintentional leakage. If you'd prefer to frame that as enabling integrity checks on cross-origin resources that would otherwise be opaque bags of bits, I'm fine with that. :)

A worry with CORS for <iframe> is that there is a mismatch in expectations.

I get that, and I understand your concerns. What I'm saying is that I would like to figure out how to apply SRI to iframed content. Perhaps doing that via CORS makes sense despite the risks you suggest. Perhaps we'll need to find some way to do it that doesn't require CORS (some other explicit opt-in). Either way, it's functionality that I'd like to be able to somehow support.

@annevk
Copy link
Member

annevk commented Sep 22, 2017

That is how I'd like to frame it, because folks often end up blaming CORS when they're actually upset with the same-origin policy.

If you're going to do SRI for <iframe> I think CORS is still the best way, but I also think that we need to carefully consider further restrictions, given the nature of <iframe>. (And also somehow convey that this actually means sharing your content. It seems that often folks think that giving away a hash isn't a big deal.)

@EGreg
Copy link

EGreg commented Dec 17, 2017

With subresource integrity for iframes, we can for the first time have a mainstream feature to let users have peace of mind the html document being loaded in the iframe has not been tampered with.

For now, a workaround is subresource integrity for Javascript which then goes to populate iframes. However, in that case the iframes must be on the same domain, which is a problem. There is currently no way to audit documents being loaded from a third party domain.

Ideally, browsers should introduce a schemes, httpc:// and httpsc:// which would show an error or warning if the content changed. The browser instances on people's computers could get a hash of this resource and flag it if it ever changes on someone else's machine. Then others could reference this url and make various claims about it, including making audits etc.

In fact ipfs://content-addressable-hash-here is somewhat similar.

Browsers can also cache commonly used resources by their SRI hash.

@BigBlueHat
Copy link
Member

FWIW an earlier draft of this specification provided the integrity attribute on <iframe> (as well as anchors and many others): https://www.w3.org/TR/2014/WD-SRI-20140318/

Having integrity expression in a standard format (RFC6920) across all hypermedia affording elements would provide a layer of verification for responses which is current inexpressible.

Having this expressiveness (and ideally browser-implemented verification as for scripts/styles) would provide great value to our work on Web Publications: w3c/wpub#125

@murbard
Copy link

murbard commented Feb 19, 2019

This would be particularly helpful for safely mediating access to localStorage. Is there any known trick to achieves this with SRI?

@amark
Copy link

amark commented Oct 17, 2021

I need this as well. Applications using my tech may want to embed an iframe that displays some instructions/information, and those teams want to make sure I can't swap out the iframe with something else (like an ad). The integrity attribute would give the confidence they correct instructions will always be displayed.

@nathanfranke
Copy link

I apologize if this is a bump, but I want to share my findings here in the hope that it will be useful to someone (or myself in the future)

I want to make a website that can guarantee some content, and be "tamper-proof" even with access to a server. The simplest form of this would be sending someone a data url with all the html already embedded:

data:text/html,<h1>This is a basic data html website, if you bookmark this it will exist forever basically.</h1>

This won't work too well for big websites though, so the second idea I had was:

data:text/html,<script src="https://example.com/script_that_loads_everything.js" integrity_no="sha256-0123456789abcdef"></script>

As long as the user has the correct URL, they can be confident that the content of the webpage was not tampered with, otherwise the page will fail to load (will probably be a blank screen) (note: I am assuming the javascript doesn't have any XSS vulnerabilities, but I am assuming that will be a priority for anyone making this type of website).

Finally, I discovered this GitHub issue, and it made me think of an even simpler URL:

data:text/html,<iframe src="https://example.com" integrity_no="sha256-0123456789abcdef"></iframe>

Again, this could guarantee a website's content integrity, with the added bonus of being mostly human readable.


When it comes to CORS, I do think there could be a vulnerability of some sorts.

<iframe src="https://api.example.com/myaccount/getsecretcode" integrity="sha256-0123456789abcdef" <!-- guess a random code here, like 123456 --> >
<!-- Check if the code we guessed was correct, not sure if WHETHER the integrity succeeded is available to us, but I guess it could be done with social engineering by conveniently asking "do you see a blank page above?" -->

<!-- Unrelated to this issue, just putting it out here, can we social engineer users to type something they shouldn't? -->
<input placeholder="CAPTCHA: Please enter the code above">

So maybe this checksum feature should only be possible if api.example.com explicitly allows CORS.

@jayaddison
Copy link

This is a feature that I'd use to provide stronger content integrity guarantees to site visitors, if and when available.

@jayaddison
Copy link

Although I suppose waiting for a specification and browser implementation(s) before adding a feature is the usual approach, in this case I think RecipeRadar may add iframe content-integrity and then hope that this feature is implemented in future (and will adapt if necessary depending on the resulting spec/implementation details).

@dveditz
Copy link
Member

dveditz commented Feb 9, 2023

I'm against this feature as described because web developers will assume this protects them when it does no such thing. In addition to the lack of control over navigation described before, the integrity check could at best ensure the HTML of the loaded page. Any sub-resource the page loads could change at a whim and the integrity check would still pass.

In a very narrow case you might be able to rely on framed content (initially, at least) IF

  • you inspect the framed page and make sure all of its resource loads have SRI checks
  • the above includes checking all the scripts (transitively, all the way down) to make sure any and all fetch requests specify integrity
  • none of its scripts use import (which we haven't figured out how to specify SRI for)
  • that a dynamically generated page doesn't radically change when any of its loaded resources are self-sabotaged and don't load

If you don't do all those things—and realistically, who will?—then the integrity attribute on a frame offers as much security as a "Please don't rob us" sticker on a bank door. But most developers won't know that. They will think the picture of the smiling security guard on the sticker is a real security guard.

@jayaddison
Copy link

I don't know - it seems to me like a case where integrity hashes can usefully be added to provide the "verify" aspect of "trust but verify" in various HTTP retrieval contexts (whether that's scripts, hyperlinks, iframes, or various other situations).

True, dynamic content may cause unexpected changes after it is loaded -- but you would know whether you retrieved the expected content (and adjust your sense of trust accordingly).

@tdelmas
Copy link

tdelmas commented Feb 10, 2023

Any sub-resource the page loads could change at a whim and the integrity check would still pass.

The same argument could be made for the integrity of js scripts that trigger the loading of other resources (js, css, links & page navigation...). Nevertheless, that integrity check is considered important.

So for iframe, I think it may still add a useful layer of security.

@jayaddison
Copy link

none of its scripts use import (which we haven't figured out how to specify SRI for)

Would this be addressed by the WICG import-maps spec? My understanding is that those do support the integrity attribute for cases where content is fetch'd by src (ref).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests