-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider integrity enforcement of iframe #21
Comments
How would this work with navigation of the contents? Or even the initial creation of |
It shouldn't. The way I see it is that integrity is checked for primary resource loaded with response code 2xx. (browsers can be helpful there and show supported digests of the content in "view source" tab). Once navigated away - let it load whatever. Integrity can also be checked if initial load is from |
👍 for supporting iframe integrity enforcement as long as multiple integrity values are supported as documented in the spec, hash values of empty page (be it about:blank) and any allowed page navigations can be put all there as a whitelist. |
This would be tremendously useful for "mediator" polyfills that need to run on third party websites. For example, for the Payment Request and Payment Handler APIs. |
This also fails badly for cross-origin |
@annevk: Never uses CORS, you say? I actually do want to change that for unrelated reasons in https://wicg.github.io/cors-rfc1918/, at least for preflights. If it's something you have fundamental objections to, we should talk. :) |
I think the main problem is that CORS is about sharing content, but that's not really applicable in the |
On closer inspection it seems you're already using new headers so it's likely fine. So then it's not really CORS. |
I'd appreciate feedback on the high-level design in that spec, as I'm hopeful we'll actually be able to start implementing it in late Q4. For this bug, though, I would like to find a way to ask for integrity guarantees on frames. In particular, I'd like Doubleclick to be able to ensure that advertisers load a specific, audited HTML page when framed. That seems valuable. We ask for CORS on subresources because we'd otherwise expose content cross-origin: I'm not sure the same is true for frames, as I don't think we expose an error event on
It's like CORS++. |
(You frame CORS as if it's a prevention mechanism. It's not, it enables things that are otherwise forbidden.) A worry with CORS for |
SRI's reliance on CORS is as a prevention against unintentional leakage. If you'd prefer to frame that as enabling integrity checks on cross-origin resources that would otherwise be opaque bags of bits, I'm fine with that. :)
I get that, and I understand your concerns. What I'm saying is that I would like to figure out how to apply SRI to iframed content. Perhaps doing that via CORS makes sense despite the risks you suggest. Perhaps we'll need to find some way to do it that doesn't require CORS (some other explicit opt-in). Either way, it's functionality that I'd like to be able to somehow support. |
That is how I'd like to frame it, because folks often end up blaming CORS when they're actually upset with the same-origin policy. If you're going to do SRI for |
With subresource integrity for iframes, we can for the first time have a mainstream feature to let users have peace of mind the html document being loaded in the iframe has not been tampered with. For now, a workaround is subresource integrity for Javascript which then goes to populate iframes. However, in that case the iframes must be on the same domain, which is a problem. There is currently no way to audit documents being loaded from a third party domain. Ideally, browsers should introduce a schemes, httpc:// and httpsc:// which would show an error or warning if the content changed. The browser instances on people's computers could get a hash of this resource and flag it if it ever changes on someone else's machine. Then others could reference this url and make various claims about it, including making audits etc. In fact ipfs://content-addressable-hash-here is somewhat similar. Browsers can also cache commonly used resources by their SRI hash. |
FWIW an earlier draft of this specification provided the Having integrity expression in a standard format (RFC6920) across all hypermedia affording elements would provide a layer of verification for responses which is current inexpressible. Having this expressiveness (and ideally browser-implemented verification as for scripts/styles) would provide great value to our work on Web Publications: w3c/wpub#125 |
This would be particularly helpful for safely mediating access to localStorage. Is there any known trick to achieves this with SRI? |
I need this as well. Applications using my tech may want to embed an iframe that displays some instructions/information, and those teams want to make sure I can't swap out the iframe with something else (like an ad). The integrity attribute would give the confidence they correct instructions will always be displayed. |
I apologize if this is a bump, but I want to share my findings here in the hope that it will be useful to someone (or myself in the future) I want to make a website that can guarantee some content, and be "tamper-proof" even with access to a server. The simplest form of this would be sending someone a data url with all the html already embedded:
This won't work too well for big websites though, so the second idea I had was:
As long as the user has the correct URL, they can be confident that the content of the webpage was not tampered with, otherwise the page will fail to load (will probably be a blank screen) (note: I am assuming the javascript doesn't have any XSS vulnerabilities, but I am assuming that will be a priority for anyone making this type of website). Finally, I discovered this GitHub issue, and it made me think of an even simpler URL:
Again, this could guarantee a website's content integrity, with the added bonus of being mostly human readable. When it comes to CORS, I do think there could be a vulnerability of some sorts. <iframe src="https://api.example.com/myaccount/getsecretcode" integrity="sha256-0123456789abcdef" <!-- guess a random code here, like 123456 --> >
<!-- Check if the code we guessed was correct, not sure if WHETHER the integrity succeeded is available to us, but I guess it could be done with social engineering by conveniently asking "do you see a blank page above?" -->
<!-- Unrelated to this issue, just putting it out here, can we social engineer users to type something they shouldn't? -->
<input placeholder="CAPTCHA: Please enter the code above"> So maybe this checksum feature should only be possible if |
This is a feature that I'd use to provide stronger content integrity guarantees to site visitors, if and when available. |
Although I suppose waiting for a specification and browser implementation(s) before adding a feature is the usual approach, in this case I think RecipeRadar may add |
I'm against this feature as described because web developers will assume this protects them when it does no such thing. In addition to the lack of control over navigation described before, the integrity check could at best ensure the HTML of the loaded page. Any sub-resource the page loads could change at a whim and the integrity check would still pass. In a very narrow case you might be able to rely on framed content (initially, at least) IF
If you don't do all those things—and realistically, who will?—then the integrity attribute on a frame offers as much security as a "Please don't rob us" sticker on a bank door. But most developers won't know that. They will think the picture of the smiling security guard on the sticker is a real security guard. |
I don't know - it seems to me like a case where integrity hashes can usefully be added to provide the "verify" aspect of "trust but verify" in various HTTP retrieval contexts (whether that's scripts, hyperlinks, iframes, or various other situations). True, dynamic content may cause unexpected changes after it is loaded -- but you would know whether you retrieved the expected content (and adjust your sense of trust accordingly). |
The same argument could be made for the integrity of js scripts that trigger the loading of other resources (js, css, links & page navigation...). Nevertheless, that integrity check is considered important. So for iframe, I think it may still add a useful layer of security. |
Would this be addressed by the WICG |
I can see enforcing integrity of iframe source can be useful when dealing with non-trusted origins.
The text was updated successfully, but these errors were encountered: