Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Iframe credentialless (WIP) #7695

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

ArthurSonzogni
Copy link
Member

@ArthurSonzogni ArthurSonzogni commented Mar 10, 2022

Explainer and spec:
https://arthursonzogni.github.io/anonymous-iframe/

Iframe credentialless requires updating several specifications:

Spec PR
HTML #7695 (this)
Fetch whatwg/fetch#1416
Storage whatwg/storage#139
CHIPS/Cookies XXX

Summary:

  • Define the credentialless flag for iframe and Window.
  • Inheritance is defined similarly to sandbox. However it do not propage
    toward popups.
  • Popup opened from credentialless Window use 'noopener'.
  • Navigation in an iframe credentialless are allowed, even if the embedder has
    COEP:require-corp|credentialless and the response do not.
  • Define the page credentialless nonce, it is used for credentialless Window as
    an additional keys in:
    • network-partition-keys,
    • storage-partition-keys,
    • cookie-partition-keys
      This ensures the document is loaded within a new and ephemeral
      context. This prevents a cross-origin-isolated parent from stealing
      important data from its child, via a Spectre Attack.
  • Password autofill must be disabled inside credentialless Window.

(See WHATWG Working Mode: Changes for more details.)


/browsers.html ( diff )
/browsing-the-web.html ( diff )
/history.html ( diff )
/iframe-embed-object.html ( diff )
/index.html ( diff )
/indices.html ( diff )
/infrastructure.html ( diff )
/origin.html ( diff )
/webappapis.html ( diff )
/window-object.html ( diff )
/workers.html ( diff )
/worklets.html ( diff )

Explainer:
https://github.com/camillelamy/explainers/blob/main/anonymous_iframes.md

Chrome status:
https://chromestatus.com/feature/5729461725036544

Summary:
- Define the anonymous flag for iframe and Window.
- Inheritance is defined similarly to sandbox. However it do not propage
  toward popups.
- Popup opened from anonymous Window use 'noopener'.
- Navigation in anonymous iframe are allowed, even if the embedder has
  COEP:require-corp|credentialless and the response do not.
- Define the `page anonymous nonce`, it is used for anonymous Window as
  an additional keys in:
  - network-partition-keys,
  - storage-partition-keys,
  - cookie-partition-keys
  This ensures the document is loaded within a new and ephemeral
  context. This prevents a cross-origin-isolated parent from stealing
  important data from its child, via a Spectre Attack.
- Password autofill must be disabled inside anonymous Window.

XXX: implement the corresponding parts on top of:
- Fetch => network-partition-keys
- StoragePartitioning => storage-partition-keys
- CookieHavingIndependantState => cookie-partition-key
- Worker.
@ArthurSonzogni
Copy link
Member Author

This is still WIP. I am not requesting a review now, but you can take a look if you are curious.
+CC @antosart @camillelamy FYI.

I still need to figure out how to integrate this into the "future" spec for storage-partitioning, CHIPS, etc...
I would like at the end to have a "WICG/anonymous-iframe" document with an introduction, a gathering of the different PR needed, and a Security/Privacy section, so that one can understand anonymous iframe in a single view.

@domenic
Copy link
Member

domenic commented Mar 10, 2022

I would like at the end to have a "WICG/anonymous-iframe" document with an introduction, a gathering of the different PR needed, and a Security/Privacy section, so that one can understand anonymous iframe in a single view.

I like this plan a lot.

@domenic domenic added addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest labels Mar 10, 2022
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this pull request Mar 21, 2022
Explainer && WIP specs:
https://arthursonzogni.github.io/anonymous-iframe/#explainer

Summary:
- Add `partition-nonce` to network-partition-key. The value is filled
  from the HTML specification.

Anonymous iframe require updating several specifications:
- HTML => whatwg/html#7695
- Fetch => (this)
- CHIPS (cookie-having-independent-partition-state) => XXX
- Storage-partitioning => XXX
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this pull request Mar 21, 2022
Explainer & specs (WIP)
https://arthursonzogni.github.io/anonymous-iframe/#explainer

Summary:
- Add `partition-nonce` to network-partition-key. The value is filled
  from the HTML specification.

Anonymous iframe require updating several specifications:
- HTML => whatwg/html#7695
- Fetch => (this)
- CHIPS (cookie-having-independent-partition-state) => XXX
- Storage-partitioning => XXX
ArthurSonzogni added a commit to ArthurSonzogni/storage that referenced this pull request Mar 22, 2022
Explainer & specs (WIP)
https://arthursonzogni.github.io/anonymous-iframe/

This patch adds the `environment`'s `partition-nonce` to the
`storage-key`.
  from the HTML specification.

Anonymous iframe require updating several specifications:
- HTML => whatwg/html#7695
- Fetch => whatwg/fetch#1416
- Storage => (this)
- CHIPS/Cookies => XXX
@whatwg whatwg deleted a comment Mar 25, 2022
@ArthurSonzogni ArthurSonzogni changed the title Anonymous iframe (WIP) Iframe credentialless (WIP) Nov 24, 2022
@josephrocca
Copy link

josephrocca commented Dec 9, 2022

Not sure if this is the best place to ask, but: Is the anonymous attribute expected to work for srcdoc iframes? I notice that it doesn't work in the Chrome dev trial. Wondering if this feature could be relevant to this issue - would be very useful for my purposes.

(potentially relevant crbug, as pointed out in the above issue)

@ArthurSonzogni
Copy link
Member Author

Not sure if this is the best place to ask

Thanks for your message!
@josephrocca, if you found a bug, please open an entry on https://crbug.com/ and +CC [email protected]
In particular, I would be interested getting more details about what "not working" means to you

I made a quick demo on:https://anonymous-iframe.glitch.me/srcdoc.html
Cookies JS API & LocalStorage in srcdoc iframe are working as I would have expected. I found nothing unexpected so far.
I will had some more WPT in case I might find what you had in mind.


Wondering if this feature could be relevant to #7328 - would be very useful for my purposes.

I don't think it can help you. The iframe credentialless (aka anonymous iframe) is still running inside the same agent cluster. So it is executed on the same thread.

@josephrocca
Copy link

josephrocca commented Dec 9, 2022

The iframe credentialless (aka anonymous iframe) is still running inside the same agent cluster. So it is executed on the same thread.

Ah, gotcha - thanks for the clarification!

I would be interested getting more details about what "not working" means to you

I may be misunderstanding something (as you can tell I don't know a lot about this proposal), but I tried executing window.anonymouslyFramed in the anonymous+srcdoc iframe and got undefined whereas I expected true. I also tested it on that demo that you made to confirm the behavior.

(btw, I love your demo - not sure if you're using a template or if you designed it yourself, but it's a really good/clear demonstration! very easy to understand)

@ArthurSonzogni
Copy link
Member Author

I may be misunderstanding something (as you can tell I don't know a lot about this proposal), but I tried executing window.anonymouslyFramed in the anonymous+srcdoc iframe and got undefined whereas I expected true. I also tested it on that demo that you made to confirm the behavior.

Indeed. I think this is specific to the origin trial, and it isn't going to show up for the final release. The origin trial token is valid only for a given origin. I think the origin trial component might be checking against the URL's origin instead of the window.origin. In this case "about:srcdoc" doesn't match.

Still worth double checking. I will add additional WPTs.

(btw, I love your demo - not sure if you're using a template or if you designed it yourself, but it's a really good/clear demonstration! very easy to understand)

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest
Development

Successfully merging this pull request may close these issues.

3 participants