-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define a policy container #4926
Comments
I like this idea. From my experience, logic of inheriting policies to local scheme + "javascript" would be:
This logic align with how SOP works in the browser (except Data URL, which is optional to inherit a policy). However, I don't know how to write this logic in a spec words... Another problem is around CSP sandbox where some people seems to have issues deciding logic for it, but this is still unclear since we haven't decided if we want to consider CSP sandbox a same-site or cross-site. If that's decided, then there will be no issues. |
That would be helpful also for Trusted Types, especially with the clone operation, as the TT guards also have a state that JS APIs can affect - a list of policy names that were already created. If we could bootstrap |
I've opened #6186 for the specific case of origin isolation, and would love guidance from the folks involved in these threads. |
We would like to push this forward. We created an explainer with more details on how the policy container could look like: https://github.com/antosart/policy-container-explained. We also started a prototype implementation of the idea in chrome, which looks promising at the moment. |
That looks great @antosart, thanks so much for working on this! One nit: when talking about blobs you want to talk specifically about creating blob URLs, as creating blobs (as in, |
I'm also excited to see this work progressing! Would it be reasonable to follow the COEP model of creating a label in this repo for conversation/questions? I suspect that @antosart, et al. will end up with a monkey-patch spec to wrap up suggested changes, but keeping discussion on the HTML repo seems better for visibility. |
Yes! I added Pâris Meuleman, Antonio Sartori, and Mike West to the WHATWG triage team, meaning you get to set labels and such. I'll also add "topic: policy container" as a label for whatwg/html. |
Thank you @antosart for looking into this. I just have a recommendation, which is to almost always use the navigation initiator to inherit the policy to local scheme instead of relying on parent or opener (there have been bugs due to this). There is an exception to this, which is about:srcdoc, which should always inherit policy from the parent. |
Thanks! @annevk thanks for the clarification, I made sure we always talk about blob URL in the explainer now. @shhnjk yes, that was the intention. I guess "Parent document embeds empty or srcdoc frame" might have been misleading, so I replaced "embeds" with "creates". But the idea would be that this holds only for the initial creation: upon navigation to a local scheme, we would use the initiator's policies. For about:srcdoc, my understanding is that you cannot navigate something to about:srcdoc (the only thing you can do is modify the frame.srcdoc attribute), so that would always come from the parent. But I'd be interested if you could share more background on the bugs you are writing about. |
In Chrome, cross-origin iframe can navigate to |
Indeed, thanks for pointing that out! That's an important observation. I added a sentence to the explainer clarifying that. |
I found this somewhat-related issue in #856 that people should be aware of, although I don't think the overlap is 100%. |
I stumbled upon #4510 and I realised the explainer does not define any inheritance for document.open(). Initially, I thought that since However, as pointed out in #4510, the ownership of the document's content after |
I think I prefer keeping policies as-is and not try to do something special for |
@annevk that sounds right to me. Another case I see we did not address in the explainer is navigations to |
I think I agree with that as well, though whatwg/html has many open issues on |
This change adds the policy container concept. See also https://github.com/antosart/policy-container-explained. A policy container serves as collection of policies to be applied to a document, WorkerGlobalScope, or WorkletGlobalScope. Its purpose is to simplify how policies are initialized and inherited. Policies are populated by parsing headers and/or meta elements. A policy container can be cloned, hence supporting inheritance of policies. Initially a policy container only contains a CSP list. This is not meant to be a behavioral change, but rather a refactoring. Small behavioral changes introduced by this change (for example storing and reloading policies from history) address what are usually considered to be bugs in the standard/implementation (which often turn out to be security vulnerabilities). CSP PR: w3c/webappsec-csp#482. Service Worker PR: w3c/ServiceWorker#1588. Helps with #4926.
@antosart should we close this and use a new issue to keep track of the remaining work or keep using this until we have covered most things? Issues I filed today around integration: |
@annevk I would say we can close this and follow up separately on the other policies. |
Reading this issue again I'm having cold feet as there are many other issues referenced that also need some kind of action to be taken. So until someone has time to properly triage them all and decide on a plan I guess I rather keep this open. |
Part of whatwg#4926. Closes whatwg#4916.
There are numerous open issues about "inheritance" of policies such as CSP, referrer policy, origin, cookie URL (not defined), base URL, service worker registration, etc. into a dedicated/shared worker or nested document whose URL is
about:blank
,about:srcdoc
, a blob URL, or a data URL.The idea behind this issue is to research these policies, see if we can make them consistent, and add infrastructure in place that makes existing policies more rigorous and introducing new policies drastically simpler.
The imagined infrastructure takes the form of a "policy container" that supports a "clone" operation. Each policy would also have to define a "clone" operation (unless the policy can be expressed in an Infra map or list perhaps). We'd then define exactly when the policy container is cloned and how to instantiate a new document with a policy container containing a number of policies.
TODO:
(See w3c/FileAPI#142 for dealing with blob URLs. A policy container would it easy to formalize that idea.)
cc @mikewest @hiroshige-g @wanderview
The text was updated successfully, but these errors were encountered: