-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set content-type header when sending reports. #18
Comments
We decided it's not awesome, and that we should migrate to https://wicg.github.io/reporting/ which respects CORS. What type does expect-ct send today? |
Today Expect-CT sends application/json, but we can totally change that. By "respects CORS", do you mean that reports sent via Reporting API will send preflights? |
Yeah, basically, that's what it would mean. (Putting more pressure on @mikewest to finish Origin Policy so origins can opt out of preflights.) |
Thinking about this some more, why do we consider, say, HPKP reports to be a SOP violation but not OCSP requests, which can also have non-whitelisted headers (https://tools.ietf.org/html/rfc6960#appendix-A.1)? |
@estark37 I think those would be equally problematic. It's really any outgoing request from a browser that goes to an address determined by the user or a third-party. |
@annevk Can you explain why? Note that the "third-party", in this case, is a trusted party responsible for the foundation of security (namely, CAs). This is not, say, the server itself, it's a trusted third-party, no different than the browser sending something to its vendor. |
@sleevi ah, that's why I wrote think. I would classify that as second-party since there's some kind of relationship and mutual understanding. |
@annevk OK, so one more complication ;) A name-constrained subCA, in which the CA has restricted the set of issuance for a particular CA certificate to a domain namespace, and, by doing so, most browsers absolve the issuing CA of its responsibility, oversight, and auditing. That is, you could have
Baz can issue any number of additional intermediates, and control the OCSP responder URLs, the cRLDistributionPoints, and the AIA caIssuers to arbitrary URLs in an arbitrary namespace. With the exception of Firefox, all other browsers are using a separate, non-browser networking stack to perform these requests, and, depending on the OS, out of process and in a separate security context. Can you clarify/explain where/why, in these cases, in which it is truly third-party, the concern is? :) I must admit, I'm not sure it's immediately obvious to me. |
If Baz can be rogue without consequences it could create requests within the user's private network that browsers might not have been expected to make and therefore have unforeseen side effects on endpoints within that network. The theory being that browsers are only expected to make requests that fulfill SOP (meaning same-origin and whatever It seems unlikely that any private network would be that naive that the only attacker can be the browser, but if we're not serious about holding that line I would be extremely curious to learn where the line is. |
@annevk With the exception of Firefox, the browser does not make these connections, the OS does. Much like, for example, interrogating some GPUs about their capabilities will result in a network fetch of DTDs for the XML specification baked into the driver (I wish I was joking). But yes, such a name-constrained sub-CA can direct the requests at any particular endpoint. Even under a 'pessimistic' implementation (which no browser implements), which does not perform network fetches until it's verified the delegated authority (e.g. start with the root, check its CRLs for the intermediate, then check the intermediate's stated CRLs for baz, then check Baz's stated CRLs), it would still be fully possible for Baz to network requests (or file system loads; Edge uses CryptoAPI to verify certificates, which supports So while I understand that theory, I'm saying it's not been practiced, nor is it capable of being practiced under the current OS APIs, no more than extension APIs may make additional requests. Sorry to hijack @estark37's bug for that discussion, but I think it's worthwhile to figure out where |
For Expect-CT reports, I think we have two options:
Anyone have thoughts? Both seem kind of gross to me. :( |
@sleevi I created whatwg/fetch#530 for OSCP specifically. @estark37 a third option is that we extend SOP as we did when added CORS preflights (a new type of cross-origin request). However, I'd rather we find a way to stop doing that or find a better place to draw a line (sorry, not sure what that would look like). Every now then going "oops we extended SOP" is not principled enough for my taste and difficult for server operators to work with. |
* Remove the confusing syntax for violation reports and just write what the keys and values are. (Fixes bifurcation/expect-ct#16 though there still may be some better way to write this that I don't know about.) * Remove dependencies on Fetch/HTML for "Sending a violation report". These dependencies don't belong in an HTTP spec. Instead, we just say that the UA should send a POST request, with a note that the UA might do more than simply send a POST request. If it's a browser, it should use Fetch and send CORS preflights for these requests, but we'll leave that up to the UA. Fixes bifurcation/expect-ct#6. Note that the report format is remaining as JSON. The content-type is `application/expect-ct-report`, so bifurcation/expect-ct#18 is fixed as well.
After some pondering, I decided to leave this as JSON, with Content-Type From an implementation perspective, sending CORS preflights in the Chrome impl is going to be tricky, so I'll still have to figure that out. I noticed that the Reporting API implementation doesn't actually appear to send CORS preflights, so I think CSP will still have this problem. (cc @mikewest @juliatuttle) |
The CSP spec has a nice requirement that CSP reports should have the
content-type
header set toapplication/csp-report
. https://www.w3.org/TR/CSP2/#send-violation-reportsCould we introduce a similar requirement for CT reports to have a
content-type
header set toapplication/ct-report
?The text was updated successfully, but these errors were encountered: