largeBlob storage extension can be used to bypass 3p storage restrictions

[jumde]

3p cookie restrictions in different browsers prevent users to be tracked across sites by 3p sites. largeBlob does not have any restriction in terms of origin/access of blob data in 3p context. This can be used as a way to bypass 3p cookie restriction.

Suggested Mitigation: Disallow largeBlob extension in 3p context.

[emlun]

Care to elaborate on how such a bypass would be done? As I understand the largeBlob extension, the data stored is tied to a particular credential, and access to any credential is restricted to the origin that created it.

[jumde]

Thanks for the quick response @emlun -

As I understand, let say user registration on foo.com creates a blob in the authenticator for foo.com. iframes of foo.com embedded on different sites using the blob in the authenticator for foo.com can track users across sites.

Let me know if I'm missing something.

[emlun]

Sorry, I'm not sure how to parse that syntax. Do you mean this...

(iframes of foo.com [...] using the foo.com blob) can track users across sites

or this?

(iframes of foo.com embedded on (different sites using the foo.com blob)) can track users across sites

If the former, then yes - if the iframe can successfully authenticate a user with a WebAuthn credential (which requires an active user gesture) then the iframe can of course identify the user. But I fail to see what that has to do with the blob.

If the latter, it's not supposed to be possible for different sites to exercise each other's credentials in a compliant browser.

[kenrb]

It is also worth pointing out that tracking implications of WebAuthn availability in cross-origin iframes were discussed in issues #911 and #1336. Credentials are already user-identifying, so as @emlun mentions it isn't clear how largeBlob changes anything about the concerns raised there.

[nicksteele]

As @kenrb said, credentials are already user-identifying. If a 3rd party already has that, then they don't need largeBlob to identify the user.

[jumde]

Thanks @nicksteele @kenrb @emlun for the feedback. From a DM conversation with @ve7jtb -

me: If the blob can be accessed without user-authentication. the site-authors can use it as an alternative to 3p storage. Let's say foo.com is embedded as an iframe in bar.com and baz.com . If 3p storage is blocked by the user foo.com , the embedded frame has no way to identify the user. But, if largeBlob is accessible foo.com can identify that user visited bar.com and baz.com .

jbradley: it is only available to the RP via the largeblob extension if the user authenticates. each large blob member is encrypted by the platform with a key that is part of a credential. largeblob is never directly accessible to a RP. It is accessable to the platform but that can't decrypt anything without a authentication, and that requires UP and possibly UV depenfing on the credprotect lavel.