From 04b73c05290237639d535caaef10e16589142c5a Mon Sep 17 00:00:00 2001 From: Jonathan Hao Date: Thu, 18 Jan 2024 19:01:16 +0000 Subject: [PATCH 1/6] Skip CORS checks when preflight is only for PNA --- index.src.html | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/index.src.html b/index.src.html index b78bab5..01a63e7 100644 --- a/index.src.html +++ b/index.src.html @@ -846,10 +846,18 @@

Fetching

is still null after handling the fetch via service workers, and amend those slightly as follows: - 1. At the very start: + 1. Replace the "If makeCORSPreflight is true and ..." + with: - 1. If |request|'s [=request/target IP address space=] is not null, - then set makeCORSPreflight to true. + 1. If one of the following is true: + * makeCORSPreflight is true. + * |request|'s [=request/target IP address space=] is not null. + + and ... + + 1. Replace "running [=CORS-preflight fetch=] given |request|" with + "running [=CORS-preflight fetch=] given |request| and + |makeCORSPreflight|" 1. Immediately after running [=CORS-preflight fetch=]: @@ -878,8 +886,14 @@

Fetching

Note: Because |request|'s [=request/target IP address space=] is set to a non-null value when recursing, this recursion can go at most 1 level deep. - 1. The [=CORS-preflight fetch=] algorithm is adjusted to handle the - new headers: + 1. The [=CORS-preflight fetch=] algorithm is adjusted to take a new parameter + |makeCORSPreflight| (default true), and handle the new headers as follows: + + 1. Only append \``Accept`\`, + \``Access-Control-Request-Method`\`, and + \``Access-Control-Request-Headers`\` to + preflight's [=request/header list=] if + |makeCORSPreflight| is true. 1. Immediately before running [$HTTP-network-or-cache fetch$]: @@ -891,6 +905,8 @@

Fetching

to "`true`" in preflight's [=request/header list=]. + 1. Only run the [=CORS check=] if |makeCORSPreflight| is true. + 1. Immediately after the [=CORS check=]: 1. If |request|'s [=request/target IP address space=] is not null, From fb91a9ca76cf32aa0ff59311baa594a05423ba4e Mon Sep 17 00:00:00 2001 From: Jonathan Hao Date: Fri, 26 Jan 2024 16:53:30 +0000 Subject: [PATCH 2/6] Add a preflight mode parameter and send Request-Method header --- index.src.html | 56 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 16 deletions(-) diff --git a/index.src.html b/index.src.html index 01a63e7..9401d6b 100644 --- a/index.src.html +++ b/index.src.html @@ -841,23 +841,48 @@

Fetching

1. If |privateNetworkAccessCheckResult| is a [=network error=], return |privateNetworkAccessCheckResult|. + 1. Define a new algorithm to determine the preflight mode, given a + [=request=] |request| and a boolean |makeCORSPreflight|: + + 1. If |makeCORSPreflight| is true and one of these conditions is true: + + * There is no method cache entry match for |request|'s + [=request/method=] using |request|, and either |request|'s + [=request/method=] is not a [=CORS-safelisted method=] or + |request|'s [=request/use-CORS-preflight flag=] is set. + + * There is at least one [=list/item=] in the CORS-unsafe + request-header names with |request|'s [=request/header list=] for + which there is no header-name cache entry match using |request|. + + Then: + + 1. If |request|'s [=request/target IP address space=] is not + null, then return "cors+pna". + + 1. Otherwise, return "cors". + + 1. If |request|'s [=request/target IP address space=] is not null, then + return "pna". + + 1. Otherwise, return "none". + 1. Define a new algorithm called HTTP-no-service-worker fetch based on the existing steps in [=HTTP fetch=] that are run if |response| is still null after handling the fetch via service workers, and amend those slightly as follows: - 1. Replace the "If makeCORSPreflight is true and ..." - with: + 1. Let |preflightMode| be the result of invoking [=determine the + preflight mode=] given |request| and |makeCORSPreflight|. - 1. If one of the following is true: - * makeCORSPreflight is true. - * |request|'s [=request/target IP address space=] is not null. + 1. Replace the entire condition "If makeCORSPreflight + is true and ..., Then:" with: - and ... + 1. If |preflightMode| is not "none", then: 1. Replace "running [=CORS-preflight fetch=] given |request|" with "running [=CORS-preflight fetch=] given |request| and - |makeCORSPreflight|" + |preflightMode|" 1. Immediately after running [=CORS-preflight fetch=]: @@ -887,13 +912,12 @@

Fetching

non-null value when recursing, this recursion can go at most 1 level deep. 1. The [=CORS-preflight fetch=] algorithm is adjusted to take a new parameter - |makeCORSPreflight| (default true), and handle the new headers as follows: + |preflightMode| (default "cors"), and handle the new headers as follows: - 1. Only append \``Accept`\`, - \``Access-Control-Request-Method`\`, and + 1. Only append \``Accept`\` and \``Access-Control-Request-Headers`\` to preflight's [=request/header list=] if - |makeCORSPreflight| is true. + |preflightMode| is true. 1. Immediately before running [$HTTP-network-or-cache fetch$]: @@ -905,12 +929,12 @@

Fetching

to "`true`" in preflight's [=request/header list=]. - 1. Only run the [=CORS check=] if |makeCORSPreflight| is true. - 1. Immediately after the [=CORS check=]: - 1. If |request|'s [=request/target IP address space=] is not null, - then: + 1. If |preflightMode| is "pna" or "cors+pna", + + 1. [=Assert=]: |request|'s [=request/target IP address space=] is + not null. 1. Let |allow| be the result of [=extracting header list values=] given @@ -933,7 +957,7 @@

Fetching

empty, let |targetId| be |request|'s [=request/target IP address space=]. Store the permission as an ephemeral permission, then return null. - + 1. Let |targetId| be the result of [=extracting header list values=] given "`Private-Network-Access-ID`" and From 190f5d71ee6d782a1821a03947ab679d90fddda5 Mon Sep 17 00:00:00 2001 From: Jonathan Hao Date: Mon, 5 Feb 2024 14:30:30 +0000 Subject: [PATCH 3/6] Update explainer.md about CORS safelisted checks We will skip CORS safelisted checks if the preflight is only sent for PNA (i.e. would not have been set if it weren't for PNA). --- explainer.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/explainer.md b/explainer.md index 53e3d66..f79a066 100644 --- a/explainer.md +++ b/explainer.md @@ -135,7 +135,8 @@ Private network requests are handled differently than others, like so: blocked. - Otherwise, the original request is preceded by a [CORS pre-flight request](https://fetch.spec.whatwg.org/#cors-preflight-request). - - There are no exceptions for CORS safelisting. + - CORS safelisting checks are skipped if the CORS preflight is only sent for PNA. + (i.e. it would not have been sent without PNA) - The pre-flight request carries an additional `Access-Control-Request-Private-Network: true` header. - The response must carry an additional From 3e10db87cbc797387ebf05855a71a073084d1c12 Mon Sep 17 00:00:00 2001 From: Jonathan Hao Date: Mon, 5 Feb 2024 14:36:52 +0000 Subject: [PATCH 4/6] Update security_privacy_self_review.md for exposing Origin Fixes #124 --- security_privacy_self_review.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security_privacy_self_review.md b/security_privacy_self_review.md index cc717b2..a1c2abb 100644 --- a/security_privacy_self_review.md +++ b/security_privacy_self_review.md @@ -23,6 +23,9 @@ laid out. See #41 for a discussion of these points. +Also, in the prelights we send the initiator's `Origin`. This was necessary to give servers in the private network enough information +to decide whether they should allow the requests from public. + ## 2. Is this specification exposing the minimum amount of information necessary to power the feature? Yes, apart from the above. From fa0e15642aa34a3e1d08cdfeb8dbd978dd02b617 Mon Sep 17 00:00:00 2001 From: JannisBush <33023300+JannisBush@users.noreply.github.com> Date: Mon, 12 Feb 2024 12:42:53 +0100 Subject: [PATCH 5/6] Fix AVASTIUM and TREND-MIRCO links --- index.src.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.src.html b/index.src.html index 9401d6b..fe15f50 100644 --- a/index.src.html +++ b/index.src.html @@ -83,11 +83,11 @@

Private Network Access

}, "AVASTIUM": { - "href": "https://code.google.com/p/google-security-research/issues/detail?id=679", + "href": "https://bugs.chromium.org/p/project-zero/issues/detail?id=679", "title": "Avast: A web-accessible RPC endpoint can launch 'SafeZone' (also called Avastium), a Chromium fork with critical security checks removed." }, "TREND-MICRO": { - "href": "https://code.google.com/p/google-security-research/issues/detail?id=693", + "href": "https://bugs.chromium.org/p/project-zero/issues/detail?id=693", "title": "TrendMicro node.js HTTP server listening on localhost can execute commands" }, From 00e824a679ba58511f979629b76ed2388d0232dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luo=20Yifan=EF=BC=88=E7=BD=97=E4=B8=80=E5=87=A1=EF=BC=89?= Date: Thu, 7 Mar 2024 00:30:17 +0800 Subject: [PATCH 6/6] Update and rename explariner_non-fetch_requests.md to explariner_content_security_policy.md --- ...-fetch_requests.md => explariner_content_security_policy.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename permission_prompt/{explariner_non-fetch_requests.md => explariner_content_security_policy.md} (98%) diff --git a/permission_prompt/explariner_non-fetch_requests.md b/permission_prompt/explariner_content_security_policy.md similarity index 98% rename from permission_prompt/explariner_non-fetch_requests.md rename to permission_prompt/explariner_content_security_policy.md index 28fb6f4..afb9535 100644 --- a/permission_prompt/explariner_non-fetch_requests.md +++ b/permission_prompt/explariner_content_security_policy.md @@ -1,4 +1,4 @@ -# Private Network Access Permission to relax mixed content for non-fetch requests +# Content Security Policy for Private Network Access Permission to relax mixed content - **Author**: lyf@google.com - **Created**: 2023-11-24