-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public keys in request headers #21
Comments
Assuming we use the framework in #16, I think we'd get Spelling aside, there's some interaction with CORS here if we attach this header to that @annevk might wish to weigh in on. I think we'd also want to think a little bit about whether this is a communication channel to the server that we need to worry about. I'm not sure it is any different than GET parameters, but folks have had feedback on other proposals in this area we should make sure we consider. Marking this as |
Actually, reading that spec a little more closely, I'm not at all sure how |
One other advantage to this that I want to call out: It may be useful for websites to use this to prevent public key pinning. The use case I'm imagining is that a site might want to rely solely on server-initiated checks, e.g. because they're worried about a lack of key rotation. If requests contain the public key, they could reject these requests to guarantee that they're only relying on server-initiated checks. |
One other use case for this: This makes it possible for JS libraries to understand which clients have enabled client opt-ins to signature SRI. This is potentially useful to allow sites to understand their security risks and run targeted outreach to increase deployment. |
I started prototyping this as something like Accept-Signatures: sig1=("identity-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri" It's straightforward enough to spec and implement, though I think there are a few things to think through:
I'd appreciate y'all's opinions! :) |
+1. Mandating servers to sign specific components effectively makes it impossible to deploy build-time signing since there is a large combination of possible components. So changing this to allow servers to sign whatever they want sounds like a positive change to me.
I don't have a strong opinion here. My gut is that adding it to the forbidden request headers list seems reasonable, though I'm somewhat concerned that there could be sites out there already sending
I also don't have a strong opinion here. Treating it as non-security-sensitive seems like it may be ok to me. |
This is a very good point. I'll dig through HTTP Archive.
I'm kinda hoping that @annevk might. :) |
As discussed in WICG/signature-based-sri#21, this CL sketches out what an `Accept-Signatures` header might look like. Bug: 383409575 Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0
As discussed in WICG/signature-based-sri#21, this CL sketches out what an `Accept-Signatures` header might look like. Bug: 383409575 Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0
I'm curious what made you second case your initial notion? I am somewhat concerned about all these headers we are adding on the side as they contribute to the overall request size and are not properly accounted for. And while it's reasonable that it doesn't count towards the Perhaps what we need to do is something along these lines:
|
Basically the concerns around potential existing usage @ddworken pointed to (though I found none in HTTP Archive, I worry about logged-in applications using an RFC9421-compliant scheme different than the profile proposed in this doc; I wouldn't want to break those), and consistency with I think it makes sense to allow developers to set
Yup. I share this concern (though I also share your intuition that servers that can't handle some larger-than-ideal amount of data in request headers are probably already a lost cause). For this specific header, I think we can mitigate the risk to some extent within the confines of the existing spec language. If we wanted to make key rotation possible without preflights, we unfortunately need more bytes (or to define some new and less-verbose header off to the side, which might be reasonable, but seems like an unfortunate divergence from what's written in RFC9421).
These sound like reasonable things to try doing. |
As discussed in WICG/signature-based-sri#21, this CL sketches out what an `Accept-Signatures` header might look like. Bug: 383409575 Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6087895 Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1396609}
As discussed in WICG/signature-based-sri#21, this CL sketches out what an `Accept-Signatures` header might look like. Bug: 383409575 Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6087895 Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1396609}
As discussed in WICG/signature-based-sri#21, this CL sketches out what an `Accept-Signatures` header might look like. Bug: 383409575 Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6087895 Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1396609}
Provided we do the header accounting cleanup I think I would be okay with setting I think appending our value would just as likely confuse existing servers as they probably don't have a robust parser in place, but I suppose it's an option as well and the security implications are about the same (as by the time we append the preflight is already taken care of). |
Ok. That sounds like a reasonable compromise. I'll sketch out some spec language around that cc @yoavweiss, who I know has been interested in questions around the accounting for browser controlled headers (and/or the allowlisting of things like |
This patch adds initial support for setting the `Accept-Signature` header as we've been discussing in #21. It does not yet handle the CORS-preflight side of things, which I'll handle in a subsequent monkey-patch.
…tures`., a=testonly Automatic update from web-platform-tests [Signature-based SRI] Send `Accept-Signatures`. As discussed in WICG/signature-based-sri#21, this CL sketches out what an `Accept-Signatures` header might look like. Bug: 383409575 Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6087895 Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1396609} -- wpt-commits: ee6608efe7e349ddba4864fbdfc9524ee023cf60 wpt-pr: 49700
…tures`., a=testonly Automatic update from web-platform-tests [Signature-based SRI] Send `Accept-Signatures`. As discussed in WICG/signature-based-sri#21, this CL sketches out what an `Accept-Signatures` header might look like. Bug: 383409575 Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6087895 Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1396609} -- wpt-commits: ee6608efe7e349ddba4864fbdfc9524ee023cf60 wpt-pr: 49700
One thing that seems potentially useful to support is specifying the expected public key in request headers. For example, if an application specifies
integrity="ed25519-[base64-encoded public key]"
, the request could include anExpected-Integrity: ed25519-[base64-encoded public key]
request header to allow the backend to know that signature-based SRI is expected, and it will be validated against the given public key.The concrete use case I have in mind is enabling an extremely basic form of key rotation. Suppose that a widely used library is signed with key A, but that key ends up getting compromised. The library owner would then want to start signing it with key B, but existing clients would already be pinning key A. If the backend knows what key the client has pinned, it could serve the corresponding signature.
This probably isn't critical for the MVP, so if it is controversial at all, I'd be inclined to skip this. But if it is non-controversial, this does seem like a nice capability that would be easy to support.
The text was updated successfully, but these errors were encountered: