-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
COEP and redirects #5223
Comments
In Chromium every single redirect is reported to the renderer process. If we want to stop telling non-final redirect locations to renderer process, that would be difficult to implement. |
We do require document-level redirects to have COOP+COEP set. So the main problem would be some redirect from a non-COOP+COEP environment being smuggled in through the cache API. |
I'm not sure I understand. Are you talking about the following scenario?
|
Yes. And in general it appears problematic that if you have top-level A and it frames B which redirects to C, A can attack B's "HTTP only" secret as long as A and B are same-origin. |
Do you think it's problematic even when A, B and C are all same-origin? |
Maybe? Hard to say in the abstract. We definitely don't reveal B's redirect location (or any other information about it) today. |
Chatted with @annevk at IRC. I think I now understand @annevk's concern so let me summarize it. The problem is not specific to cross-origin, not specific to navigation and not specific to "manual" redirect mode. Let's think about the following fetch operation which is initiated on a COEP enabled environment and experiences redirects.
The redirect information, redirection location for example, is not exposed to scripts. But malicious scripts can sniff the information using SAB and similar powerful APIs that are only allowed in COEP enabled environments. |
I'm not sure how severe this kind of information leak would be, but I know that fixing this would be very difficult in Chromium, as I said at #5223 (comment). |
It's not clear to me what would need to change in any spec for Chromium to prevent redirect information from entering a given renderer process. The fact that we don't do so today is historically grounded, but not an essential feature of our implementation. I agree that it would be a ton of work to move various checks from the renderer to the browser process, and that the risk might not justify that effort (especially since it would be a trade-off against implementation of things like COEP/COOP, which seem more clearly necessary and less nice-to-have). It does remain a hole in Chromium's defense against side-channel attacks, and it seems like something Chromium ought to consider a bug. But it also seems pretty clearly to be allowed by the wording of both Fetch and COEP. Does something about either need to change? |
So I think the main thing here is that we added special semantics to Could we require the CORP header for redirects you want to store in the cache? Is that too much of a hack? |
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes #5368, fixes #5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: #4916, #4919, #4930 #5223, and #5391. (As well as defining cross-origin isolated, per #4732.)
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes whatwg#5368, fixes whatwg#5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: whatwg#4916, whatwg#4919, whatwg#4930 whatwg#5223, and whatwg#5391. (As well as defining cross-origin isolated, per whatwg#4732.)
I don't think we specifically discussed (opaque) redirects. They are same origin, but opaque to not leak any "HTTP only" secrets as per https://fetch.spec.whatwg.org/#atomic-http-redirect-handling.
How should this work with the cache API and such? Ideally they would continue to work and any secrets never make it to a process where they could be obtained, but that was also a viable strategy for opaque responses that was deemed too complicated.
Given that they are same origin CORP is also not a great header for them.
cc @whatwg/cross-origin-isolation @wanderview @perryjiang @asutherland @yutakahirano
The text was updated successfully, but these errors were encountered: