Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

“Should request be allowed to use feature” algorithm #220

Merged
merged 6 commits into from
Jan 24, 2019

Conversation

eeeps
Copy link
Contributor

@eeeps eeeps commented Sep 24, 2018

This PR is part of an attempt to address #129 – using Feature Policy to let authors opt-into sending specific Client Hints to specific origins.

The overall, basic idea is:

  1. A new set of policy-controlled features – one for each Client Hint header field – is defined in the Client Hints spec.
  2. A new algorithm which determines whether a request is able to use a policy-controlled feature is defined in the Feature Policy spec. That's defined in this PR.
  3. The step in Fetch that appends Client Hint headers calls the new algorithm, checking if a request is allowed to use a Client Hints’ policy-controlled feature before appending the Client Hint header.

index.bs Outdated
<h3 id="should-request-be-allowed-to-use-feature">Should <var>request</var> be allowed to use <var>feature</var>?</h3>
<p>Given a feature (<var>feature</var>) and a <a for="/">request</a> (<var>request</var>), this algorithm returns <code>true</code> if the request should be allowed to use <var>feature</var>, and <code>false</code> otherwise.</p>
<ol>
<li>Set |global object| to |request|’s <a for="request">client</a>’s <a for="environment settings object">global object</a>.</li>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I'd love to get @annevk to sanity check this..

Given that we're talking about passed in "request", shouldn't we use use request's attribute directly, as defined by Fetch? E.g. Fetch#client or Fetch#request-window?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Depends what you want to happen in non-window contexts like workers.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned below, there's not a good way to set feature policies in non-document contexts yet (work on that front is happening in #207); until there is, I don't think I can know where to check for set policies, here.

index.bs Outdated
<li>If |global object| is a {{Document}}, set |document| to |global object|.</li>
<li>If |global object| is a {{Window}}, set |document| to |global object|’s <a>associated `Document`</a>.</li>
<li>If |document| is null, return <code>false</code>.
<div class="issue">How can we enable secure use of policy-controlled features within requests initiated by clients that do not have documents? e.g., from within {{WorkerGlobalScope}}s or {{WorkletGlobalScope}}s, i.e., within Service Workers?</div>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ServiceWorker's client has an associated origin, we should be checking against that?

@jakearchibald any guidance? :)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CSP model would probably work well here. https://www.w3.org/TR/CSP3/#html-integration

Documents and worker globals have the CSP list. Requests are blocked before reaching the service worker if they fail the document's CSP. However, the service worker may also have its own CSP which blocks additional requests.

CSP also checks responses. I don't know if that's desirable here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Workers having their own Feature Policy is being figured out here: #207. Until that's resolved, I think we can/should just return false in Worker contexts.

index.bs Outdated
<h3 id="should-request-be-allowed-to-use-feature">Should <var>request</var> be allowed to use <var>feature</var>?</h3>
<p>Given a feature (<var>feature</var>) and a <a for="/">request</a> (<var>request</var>), this algorithm returns <code>true</code> if the request should be allowed to use <var>feature</var>, and <code>false</code> otherwise.</p>
<ol>
<li>Set |global object| to |request|’s <a for="request">client</a>’s <a for="environment settings object">global object</a>.</li>

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A request's client may be null, so this spec has to deal with that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In what contexts? If there’s no other way to get an origin in those contexts, I guess we'll return false.

index.bs Outdated Show resolved Hide resolved
Copy link
Contributor

@yoavweiss yoavweiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of suggested changes, but all in all looks good.

@clelland - Anything blocking us from landing this?

index.bs Outdated Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
@clelland
Copy link
Collaborator

This looks good, thanks for the ping @yoavweiss

@clelland clelland merged commit b8ef061 into w3c:master Jan 24, 2019
@eeeps eeeps deleted the should-request-be-allowed branch January 24, 2019 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants