-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iframe credentialless (was: Anonymous iframe) #628
Comments
We have started looking at this, but need more time. Part of this proposal I think supports the argument in whatwg/storage#142 that we ought to refactor origin, storage key, and network partition key, into a new authority field (or equivalent) we take care of propagating correctly. That ultimately means that changes like this need to happen in fewer places and we can be more sure they end up impacting all the necessary places. |
Gentle ping ;-) Thanks for the 3 issues filled so far (#1, #2, #3). I did moving the anonymous bit into PolicyContainer. There are two filled issues left: the name and type of the attribute. I replied/explained and I am looking for your comments. Maybe @sefeng211 or @smaug---- have some opinions about this feature overall? About @annevk last comment: Yes I think I agree with that. |
Will defer to @smaug---- but my understanding is that the concern at WICG/anonymous-iframe#5 (comment) hasn't changed:
If it were possible to solve the usecase without introducing a new attribute that seems ideal. I do see the consideration against i.e. using a new sandbox flag at https://wicg.github.io/anonymous-iframe/#alternatives-sandbox - thanks for documenting that. This may be an uninformed question, but can you say more about why this wouldn't be achievable with something like |
Thanks @bgrins!
This doesn't fit sandbox attribute, because with sandbox, the iframe starts from the full "sandboxed" state and we can then allow again some of them with them with "allow-xxx". We can't express "disallow-xxx" with the syntax. |
Yes you can express disallow-. Just use disallow-. My worry with adding yet another attribute is that there isn't any coherent way to affect how iframes behave. We add more and more such attributes and the overall behavior becomes hard to define and understand. |
This would introduce the first "disallow-xxx" in the API.
Trying to avoid new attributes to spread is a nice goal. If we can, that's good. Sandbox doesn't look like a good one to me, but maybe there are some alternatives? |
I would second Arthur's comment that using sandbox flags means that we would introduce the first disallow flag, and a whole new mechanism for how sandbox flags behave. In this particular case, there is also an additional challenge in that this particular sandbox flag could not be settable through a CSP header. This is because the request for the iframe document must be done without credentials, but by the time we get a response with a CSP header asking for this flag, credentials have already been used to make the request. Overall, it seems to us that the precise mechanism we need to implement is sufficiently different from sandbox flags that we should have a different attribute instead of having this as a part of sandbox flags. |
@camillelamy that's a good point and one I hadn't considered. If those headers are expected to reflect the sandbox attribute on frames then it would be surprising to add one that doesn't work the same. Might be worth capturing that in https://wicg.github.io/anonymous-iframe/#alternatives-sandbox. |
Sandbox is already special when it comes to CSP. CSP with |
Yes, I agree the interaction with CSP and response headers is not a hard blocker for using sandbox, we could just ignore them, because it is too late. |
You can define disallow-xxx with sandbox. You just do it. One would need to define something new, but adding a totally new attribute is a new thing too. Though, I wouldn't be surprised if credentialless iframes will be usually also sandboxed. One probably doesn't want to let ads and such to do top level navigations for example. Do you have some concrete examples which would be broken with sandbox + disallow ? Such examples may reveal issues in the sandbox itself, like missing allow-*. |
@mikewest also noted sandbox flags are inherited toward popups. This conflicts with the design where we decided the anonymous attribute do not propagate to popups (here) We would have to define some exceptions to the current logic if we go this way.
Yes, that's very likely true.
I was mostly annoyed that the closest equivalent to: <iframe anonymous> becomes: <iframe sandbox="disallow-credentials allow-downloads allow-forms allow-modals
allow-orientation-lock allow-pointer-lock allow-popups
allow-popups-to-escape-sandbox allow-presentation allow-same-origin
allow-scripts allow-top-navigation"> Yes, users may already be using sandbox, in this case, this is not really annoying for them. About the flags we can't allow-xxx back. I see:
I also initially suspected kAutomaticFeature, but it is essentially an alias for kScript. I will check what others are thinking about using sandbox.
Among all the existing attributes. It remains <iframe allow="credentials='none'"> Not sure how it works with regards to inheritance and how to deal with the possible |
Hello @smaug---- Developer experience is the annoying thing about the disallow- framing. Needing to specify every allow- flag to get mostly back to normal behavior isn't nice. But maybe we can define it as: <iframe sandbox="allow-all disallow-credentials"> to switch the sandboxing parser into something of a blocklist as opposed to an allowlist? About window.anonymouslyFramed it has to be renamed. Maybe: window.credentialless ? It is promising if the objection is only about how things are named/activated and not about how things work. @smaug---- what do you think would be Mozilla position if this is moved to a sandbox flag? I didn't get any feedback from Webkit yet: |
@bgrins or @smaug---- Do you have any other feedback about the feature outside of how it is activated/spelled (sandbox vs anonymous)? Is it good in your opinion? |
In general I do like the concept of credentialless/anonymous iframes. allow-all doesn't feel too future proof. I'm not yet convinced it is needed. At least it isn't anything which must be added initially. Also, the popup opening handling (noopener by default) is kind of separate primitive to credentialless loads. |
Great! I am pleased about this!
I agree.
Popup aren't allowed, because they can be used in OAuth flow to retrieve credentials. In a crossOriginIsolated environment, the attacker can use Spectre to exfiltrate personalized data. See this section of the threat model. Iframes are different in kind from popup: Users can't verify the URL of the iframe's document. We aren't worried of the user typing their credentials directly inside, because from the user's perspective, there are no difference with a malicious website mimicking the iframe with its own HTML elements and a legitimate iframe. I am prototyping the sandbox alternative. The conceptual difficulty I am seeing is that sandbox flags may be inherited to popup. It means we have to support some kind of "anonymous main frame". This is new. Not sure how to properly handle this. |
If one of you @smaug----, @bgrins or @sefeng211 are going to TPAC 2022 in 2 weeks, this could be the perfect opportunity to discuss this. |
I'll be there :) |
Any progress from discussion at TPAC? There's now an I2S on blink-dev for this. I've weighed in with my initial support personally, but I'm willing to be convinced that there are some concrete steps that should be taken first. |
FYI smaug is away this week, but when he's back I'd like his feedback coming out of discussion at TPAC & issues like WICG/anonymous-iframe#5 |
We're negative on this one until open API issues are resolved. We may or may not support after that depending on the outcome - would like to hear more about the discussion at TPAC and have a chance to discuss with smaug. |
Folks from Google said at TPAC that they will ask the origin trial users whether sandbox is always used with anonymous iframes and report back (since that information might affect the API design). I haven't heard anything back and I was rather surprised to see intent-to-ship. Also, this isn't really anonymous, but credentialless, |
Hi @smaug---- ! Following our discussion at TPAC, We're still concerned that the model with several sandbox flags to use in conjunction, including the first disallow flags is hard to explain to developers. There are several open questions we don't know how they can be solved. Considering this, we think the current solution is the better one. We have feedback from partners that it solves their need, and are under tight timeline to provide them with a way to keep using SABs on their website by allowing them to deploy cross-origin isolation. Considering that we have no clear feedback so far that Mozilla would be interested in implementing anonymous iframes even if they were spelled as sandbox flags, we made the decision to ship with what we have implemented. We should have updated the email thread, but due to travelling/COVID, this fell through. I am sorry about this. Here are the results. |
We decided to address issue #5: “rename anonymous iframe into iframe credentialless”. We acknowledge this is not the core disagreement. It is about controlling the feature via multiple new sandbox flags. We think it is much less ergonomic and makes the feature harder to explain to developers. The integration with sandbox flags has some challenging problems listed in this document. We don’t know ways to overcome some of them. So we would like to continue without sandbox flags. |
We discussed Iframe credentialless yesterday, during the WebAppSec working group, with @dveditz 👋 |
? 🥺 |
I'm no expert, but I see some overlap between Considering the cookie access, there could be a new This would be backwards compatible because anyone using <!-- New flag -->
<iframe sandbox="allow-scoped-origin"></iframe> <!-- Old flag, which effectively overrides the strictness of the new one -->
<iframe sandbox="allow-scoped-origin allow-same-origin"></iframe> Am I missing something? Is there any rule that forbids two |
@FezVrasta The trouble is that you are trying to add a sandbox directive that removes functionality, while every other sandbox directive adds it back in. The most restrictive sandbox directive is |
No I'm not removing functionalities. A full sandbox doesn't allow cookies access, you need the allow-same-origin to access them. You would have 3 tiers:
|
Thanks @FezVrasta! Here is a paragraph about this. The navigation response in a credentialless iframe is requested without credentials 1. This is key to the security story. That's not the case for fully sandboxed iframe. Secondly, Footnotes
|
Greetings and Salutations all 👋, I'm coming from the R world that recently gained the ability to have R in the browser through webR, which uses WebAssembly via Emscripten. Unfortunately, we need to set both COOP and COEP headers to speed up the page load (to avoid students navigating away). But, we then lose the ability to embed lecture videos since COEP is interfering with Would it be possible to further standardize the |
One thing I'm not very keen on in credentialless iframes is that they don't get their own origin (I mean own vs non-credentialless iframes), only storage partitioning. So if one uses non-credentialless iframes and credentialless iframes in a same page, one gets the weird behavior where they may touch each others, but how data is stored depends on which iframe is used for it. And that would mean some page in a site is using COEP for a reason and gets credentials, but other page wasn't meant be used that way, yet they Also, it is unclear how StorageManager works with this. Is there a risk that StorageManager.estimate() can be used as a side channel to communicate with the credentialless iframe? Or if not, does that mean one can get double the storage space (half of it temporary) by just using |
It would look like an idea derived from: webappsec-suborigins. Instead of reusing Not depending on |
=> Double storage space (half of it temporary). See new WPT. Iframe credentialless augments the storage key. Then, everything is the consequence of how storage partitionning is defined. See quota-storage-partitioning:
To avoid using quota as a communication channel, it sounds like a reasonable thing. It also implies one can get additional storage space using partitioning in general, especially when using the cross-origin ancestor bit in storage key. Objections to that scheme would entail changes to partitioning generally, not credentialless iframes specifically. |
Why would origin-partitioning be any harder? And I guess that isn't even the right question. The question is what is the most reasonable API for the Web? And storage usage, does Chrome really allow a site to fill the whole disk if it uses <iframe credentialless> ? |
Well, credentialless iframes should just not use partitioned storage, they should have their own origin-partitioning. |
Lack of
These two require conflicting CORP headers, but can work together with |
Any news on this? At least some estimation on if and when this might be available? |
I wanted to point out here that this feature might result in security issues due to websites using it for authenticated scenarios for which the feature does not really work. See WebKit/standards-positions#45 (comment) onward. I personally think we need to go back to the drawing board. |
I am not a security guy and I don't know much about how YouTube or Vimeo work, but it shouldn't be impossible to be able to show a running video in an isolated iframe popup, which is my current scenario. And I am sure you know it works in Chrome since forever. Are you saying all Chromium browsers are hackable because of it? |
Request for Mozilla Position on an Emerging Web Specification
Other information
WICG proposal. The Feedback section mentions who are the developers interested in anonymous-iframe.
+CC @mikewest @camillelamy
The text was updated successfully, but these errors were encountered: