-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure Contexts and Cross-Origin-Embedder-Policy #4930
Comments
whatwg/html#4930 (We don't have a spec text yet). Bug: 1086066 Change-Id: I0d51df12af686dc4f1bbad252e02f9bf64981b56 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2216833 Commit-Queue: Yutaka Hirano <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#775421}
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes #5368, fixes #5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: #4916, #4919, #4930 #5223, and #5391. (As well as defining cross-origin isolated, per #4732.)
We can check whether the url of the response is trustworthy. We can also check if the environment settings object is (or, will be) contextually secure. Which do you prefer? Chrome implements the former. |
@yutakahirano I suspect we want to emulate the COOP check which checks both the URL and response's HTTP state (in case it's deprecated). (And perhaps we want to abstract it to make it clear they share the same logic.) |
Something like this?
|
Hmm, I see the dilemma. COEP doesn't always have an environment settings object at hand currently. I would suggest we try to find one though and use that to decide. Basing it solely on the response would seem to miss some cross-window-named targeting scenarios, although maybe they are ruled out and that's unclear due to #313? |
- platform/mac-mac10.13/.../require-corp-about-blank-expected.txt is redundant - it's same as the base expectation. - platform/mac-mac10.14/.../require-corp-about-blank-expected.txt is wrong - the test always fails on the platform (and the failures are suppressed by TestExpectations). - wpt/html/coep/require-corp-about-blank.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-blank.https.html - wpt/html/coep/require-corp-about-srcdoc.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-srcdoc.https.html - Remove redundant TestExpectations entries. Bug: 1086065, 626703 Change-Id: I5573dd4446f482acdde828404e0a88893897ce09
- platform/mac-mac10.13/.../require-corp-about-blank-expected.txt is redundant - it's same as the base expectation. - platform/mac-mac10.14/.../require-corp-about-blank-expected.txt is wrong - the test always fails on the platform (and the failures are suppressed by TestExpectations). - wpt/html/coep/require-corp-about-blank.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-blank.https.html - wpt/html/coep/require-corp-about-srcdoc.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-srcdoc.https.html - Remove redundant TestExpectations entries. Bug: 1086065, 626703 Change-Id: I5573dd4446f482acdde828404e0a88893897ce09 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274133 Auto-Submit: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Commit-Queue: Yutaka Hirano <[email protected]> Cr-Commit-Position: refs/heads/master@{#783875}
- platform/mac-mac10.13/.../require-corp-about-blank-expected.txt is redundant - it's same as the base expectation. - platform/mac-mac10.14/.../require-corp-about-blank-expected.txt is wrong - the test always fails on the platform (and the failures are suppressed by TestExpectations). - wpt/html/coep/require-corp-about-blank.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-blank.https.html - wpt/html/coep/require-corp-about-srcdoc.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-srcdoc.https.html - Remove redundant TestExpectations entries. Bug: 1086065, 626703 Change-Id: I5573dd4446f482acdde828404e0a88893897ce09 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274133 Auto-Submit: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Commit-Queue: Yutaka Hirano <[email protected]> Cr-Commit-Position: refs/heads/master@{#783875}
- platform/mac-mac10.13/.../require-corp-about-blank-expected.txt is redundant - it's same as the base expectation. - platform/mac-mac10.14/.../require-corp-about-blank-expected.txt is wrong - the test always fails on the platform (and the failures are suppressed by TestExpectations). - wpt/html/coep/require-corp-about-blank.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-blank.https.html - wpt/html/coep/require-corp-about-srcdoc.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-srcdoc.https.html - Remove redundant TestExpectations entries. Bug: 1086065, 626703 Change-Id: I5573dd4446f482acdde828404e0a88893897ce09 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274133 Auto-Submit: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Commit-Queue: Yutaka Hirano <[email protected]> Cr-Commit-Position: refs/heads/master@{#783875}
The TrustedType bypass problem discussed at w3c/trusted-types#259 is pretty interesting. COEP would have the same problem, and I think it's good to rely only on the response, not the parent contexts. |
Could you elaborate? |
When a frame asserts COEP: require-corp, it requires COEP and CORP for nested frames. Breaking that expectation when the frame is embedded in an (unencrypted) HTTP frame is confusing I think. |
I'm not sure, allowing yourself to be embedded in that way is insecure so I'm not sure we have to cater to it. |
Do you mean |
Ah sorry I misunderstood |
…ank,srcdoc}.html, a=testonly Automatic update from web-platform-tests Fix wpt/html/coep/require-corp-about-{blank,srcdoc}.html - platform/mac-mac10.13/.../require-corp-about-blank-expected.txt is redundant - it's same as the base expectation. - platform/mac-mac10.14/.../require-corp-about-blank-expected.txt is wrong - the test always fails on the platform (and the failures are suppressed by TestExpectations). - wpt/html/coep/require-corp-about-blank.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-blank.https.html - wpt/html/coep/require-corp-about-srcdoc.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-srcdoc.https.html - Remove redundant TestExpectations entries. Bug: 1086065, 626703 Change-Id: I5573dd4446f482acdde828404e0a88893897ce09 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274133 Auto-Submit: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Commit-Queue: Yutaka Hirano <[email protected]> Cr-Commit-Position: refs/heads/master@{#783875} -- wpt-commits: f911e6744606f48835f3296fab56e40d8185121c wpt-pr: 24392
…ank,srcdoc}.html, a=testonly Automatic update from web-platform-tests Fix wpt/html/coep/require-corp-about-{blank,srcdoc}.html - platform/mac-mac10.13/.../require-corp-about-blank-expected.txt is redundant - it's same as the base expectation. - platform/mac-mac10.14/.../require-corp-about-blank-expected.txt is wrong - the test always fails on the platform (and the failures are suppressed by TestExpectations). - wpt/html/coep/require-corp-about-blank.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-blank.https.html - wpt/html/coep/require-corp-about-srcdoc.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-srcdoc.https.html - Remove redundant TestExpectations entries. Bug: 1086065, 626703 Change-Id: I5573dd4446f482acdde828404e0a88893897ce09 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274133 Auto-Submit: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Commit-Queue: Yutaka Hirano <[email protected]> Cr-Commit-Position: refs/heads/master@{#783875} -- wpt-commits: f911e6744606f48835f3296fab56e40d8185121c wpt-pr: 24392
Can we use request's reserved client? We don't have it for service workers but it is not a problem. |
I think we have to use that for top-level. For nested we can just look at the parent. |
Currently https://html.spec.whatwg.org/multipage/webappapis.html#secure-context doesn't check if parent is a secure context for documents, and giving the parent environment just checks one-level. We want to check it recursively, right? |
No, that algorithm is fine. No need for recursion. The problem is that a reserved client won't have an HTTPS state so you'd have to check that manually. That's why a "full" environment settings object is preferable. |
Let's assume we have nested documents D1, D2 and D3. D1 is the parent of D2, D2 is the parent of D3. All have COEP: require-corp HTTP header. D1: http://www.example.com/D1 D1 is not a secure context, so the COEP value is Is this behavior expected? |
How would D2 end up being a secure context? (Note how it uses "top-level creation URL".) |
Oh thanks you're right, but we still can create a similar example I think. D1: https://www.example.com/D1 (HTTPS state is "deprecated") |
That seems like something we overlooked in #5659, indeed. There's a deeper issue with HTTPS state though in that an embedded document could have it set to "deprecated", but the top-level document would still be considered a secure context. Perhaps that's not something that should impact secure contexts to begin with. Only Chrome implements it so it's not even clear if it carries its weight standards-wise. |
IIUC your intention is to enable COEP settings only for environments that will be secure contexts, right? Then I think giving the parent context is confusing because parent's URL and parent's HTTPS state is not taken into account for document's secure context calculation. Does it make sense to split https://html.spec.whatwg.org/multipage/webappapis.html#secure-context to two algorithms, one[A] takes an environment settings object, another[B] takes an environment and a response? I'm considering migrating existing callers to [A] by default, and migrating the COOP use-case to [B]. COEP will use [B] for documents. It may make sense for COEP to use [A] for dedicated workers. |
I guess it really depends on whether Chrome wants to keep around HTTPS state for secure contexts as it can lead to cases where the document tree is not consistent secure-context-wise. |
I don't have an opinion, sorry to say; I just carried over HTTPS state from previous revisions of the secure context definition. I've also not had any success in getting @mikewest's help with secure context stuff. Maybe we should put a meeting on his calendar. |
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes whatwg#5368, fixes whatwg#5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: whatwg#4916, whatwg#4919, whatwg#4930 whatwg#5223, and whatwg#5391. (As well as defining cross-origin isolated, per whatwg#4732.)
If/when this is fixed, |
This has been fixed as HTTPS state is gone so secure contexts is now based purely on the URL. |
whatwg/html#4930 (We don't have a spec text yet). Bug: 1086066 Change-Id: I0d51df12af686dc4f1bbad252e02f9bf64981b56 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2216833 Commit-Queue: Yutaka Hirano <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Original-Commit-Position: refs/heads/master@{#775421} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: 6585711c62108312c5a411fad351e495ff7bbcab
- platform/mac-mac10.13/.../require-corp-about-blank-expected.txt is redundant - it's same as the base expectation. - platform/mac-mac10.14/.../require-corp-about-blank-expected.txt is wrong - the test always fails on the platform (and the failures are suppressed by TestExpectations). - wpt/html/coep/require-corp-about-blank.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-blank.https.html - wpt/html/coep/require-corp-about-srcdoc.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-srcdoc.https.html - Remove redundant TestExpectations entries. Bug: 1086065, 626703 Change-Id: I5573dd4446f482acdde828404e0a88893897ce09 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274133 Auto-Submit: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Commit-Queue: Yutaka Hirano <[email protected]> Cr-Original-Commit-Position: refs/heads/master@{#783875} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: 34c0036a47c782ddd4528a37a25394f7acfd8939
…ank,srcdoc}.html, a=testonly Automatic update from web-platform-tests Fix wpt/html/coep/require-corp-about-{blank,srcdoc}.html - platform/mac-mac10.13/.../require-corp-about-blank-expected.txt is redundant - it's same as the base expectation. - platform/mac-mac10.14/.../require-corp-about-blank-expected.txt is wrong - the test always fails on the platform (and the failures are suppressed by TestExpectations). - wpt/html/coep/require-corp-about-blank.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-blank.https.html - wpt/html/coep/require-corp-about-srcdoc.html always fails because COEP is only effective on secure contexts (whatwg/html#4930). Rename it to wpt/html/coep/require-corp-about-srcdoc.https.html - Remove redundant TestExpectations entries. Bug: 1086065, 626703 Change-Id: I5573dd4446f482acdde828404e0a88893897ce09 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274133 Auto-Submit: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Commit-Queue: Yutaka Hirano <[email protected]> Cr-Commit-Position: refs/heads/master@{#783875} -- wpt-commits: f911e6744606f48835f3296fab56e40d8185121c wpt-pr: 24392
Related to #4921 by @shhnjk, @mystor pointed out that in addition to computing the origin way before we are ready to create a document, we also need to have the secure context state way before we are ready to have a settings object. This is particularly relevant for
Cross-Origin-Embedder-Policy
, which can work in a framed context, provided that frame is a secure context.cc @mikewest
The text was updated successfully, but these errors were encountered: