[web-api] Limit cross-origin sharing of Wasm modules. #1352
Conversation
dtig
changed the title
|
I'll try to review this week |
|
@Ms2ger Friendly ping for a review. |
| @@ -150,6 +152,8 @@ The [=serialization steps=], given |value|, |serialized|, and |forStorage|, are: | |||
| 1. Set |serialized|.\[[Bytes]] to the [=sub-serialization=] of |value|.\[[Bytes]]. | |||
|
|
|||
| 1. Set |serialized|.\[[AgentCluster]] to the [=current Realm=]'s corresponding [=agent cluster=]. | |||
|
|
|||
| 1. Set |serialized|.\[[Origin]] to be the [=origin-serialization=] of the user agent's [=origin=]. | |||
There was a problem hiding this comment.
A user agent doesn't have an origin - most likely this should be the origin of the relevant settings object for value.
| @@ -150,6 +152,8 @@ The [=serialization steps=], given |value|, |serialized|, and |forStorage|, are: | |||
| 1. Set |serialized|.\[[Bytes]] to the [=sub-serialization=] of |value|.\[[Bytes]]. | |||
|
|
|||
| 1. Set |serialized|.\[[AgentCluster]] to the [=current Realm=]'s corresponding [=agent cluster=]. | |||
|
|
|||
| 1. Set |serialized|.\[[Origin]] to be the [=origin-serialization=] of the user agent's [=origin=]. | |||
There was a problem hiding this comment.
I'm also wondering if using the serialization is correct - this would perhaps allow transferring between two opaque origins. I'm not sure if we can store the origin itself here - @annevk?
|
I'd still like a reply to my question in #1303 (comment). I read the minutes and it's clear my point there was not considered or addressed as it's a rather high-level discussion. And the minutes also seem to contain something that illustrates a rather fundamental misunderstanding of how this works:
As to @Ms2ger's question, normally an opaque origin would also imply a different agent cluster (and this PR keeps the agent cluster in tact, as it should), but there is this edge case that is still unsolved: whatwg/html#5254. |
|
@dtig, this PR is stale, what's the status? |
|
@dtig, any progress on this PR, or should we close it? |
|
I'm closing this for now, because without infrastructure that the Wasm web spec can use, and better consensus on the checks themselves, this is out of scope for the Wasm CG. Will reopen if anything changes. Sorry for the slow response, I was unsure about the status of the various parts of the deprecations that are connected to this, and had some trouble with parsing the information across different parts of the spec. |
This was discussed, and voted on in the June 22nd meeting (notes). The suggested solution was to limit sharing modules across origins. There is some discussion in the linked issue #1303, but it doesn't look like the HTML spec has a way to enforce an origin check in the serialization infrastructure.
This PR aims to store the origin as well as the agent cluster, and throw if there has been an attempt to post message across origin, the text right doesn't handle opaque origins as they are
nullwhen serialized. Another option is to be vague and include a same-origin check, but digging into it more, it's not clear how this would be implemented. Opening this PR to gather feedback, I'm also quite unfamiliar with the HTML spec, so links to existing infrastructure to do this correctly appreciated.Closes #1303.