Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set content-type header when sending reports. #18

Closed
ScottHelme opened this issue Jan 30, 2017 · 14 comments
Closed

Set content-type header when sending reports. #18

ScottHelme opened this issue Jan 30, 2017 · 14 comments

Comments

@ScottHelme
Copy link

The CSP spec has a nice requirement that CSP reports should have the content-type header set to application/csp-report. https://www.w3.org/TR/CSP2/#send-violation-reports

Could we introduce a similar requirement for CT reports to have a content-type header set to application/ct-report?

@estark37
Copy link
Collaborator

@annevk @mikewest did we ever decide anything to do about the fact that CSP reports and similar violate the SOP by sending non-whitelisted Content-Type headers?

@mikewest
Copy link

We decided it's not awesome, and that we should migrate to https://wicg.github.io/reporting/ which respects CORS. What type does expect-ct send today?

@estark37
Copy link
Collaborator

Today Expect-CT sends application/json, but we can totally change that. By "respects CORS", do you mean that reports sent via Reporting API will send preflights?

@annevk
Copy link

annevk commented Apr 15, 2017

Yeah, basically, that's what it would mean. (Putting more pressure on @mikewest to finish Origin Policy so origins can opt out of preflights.)

@estark37
Copy link
Collaborator

Thinking about this some more, why do we consider, say, HPKP reports to be a SOP violation but not OCSP requests, which can also have non-whitelisted headers (https://tools.ietf.org/html/rfc6960#appendix-A.1)?

@annevk
Copy link

annevk commented Apr 20, 2017

@estark37 I think those would be equally problematic. It's really any outgoing request from a browser that goes to an address determined by the user or a third-party.

@sleevi
Copy link

sleevi commented Apr 20, 2017

@annevk Can you explain why? Note that the "third-party", in this case, is a trusted party responsible for the foundation of security (namely, CAs). This is not, say, the server itself, it's a trusted third-party, no different than the browser sending something to its vendor.

@annevk
Copy link

annevk commented Apr 20, 2017

@sleevi ah, that's why I wrote think. I would classify that as second-party since there's some kind of relationship and mutual understanding.

@sleevi
Copy link

sleevi commented Apr 20, 2017

@annevk OK, so one more complication ;)

A name-constrained subCA, in which the CA has restricted the set of issuance for a particular CA certificate to a domain namespace, and, by doing so, most browsers absolve the issuing CA of its responsibility, oversight, and auditing.

That is, you could have

CA Foo (a TTP) -> Intermediate Bar (which Foo is responsible for overseeing and inherits the same TTP status) -> NameConstrained Baz (where Baz is restricted to issuance for example.com).

Baz can issue any number of additional intermediates, and control the OCSP responder URLs, the cRLDistributionPoints, and the AIA caIssuers to arbitrary URLs in an arbitrary namespace. With the exception of Firefox, all other browsers are using a separate, non-browser networking stack to perform these requests, and, depending on the OS, out of process and in a separate security context.

Can you clarify/explain where/why, in these cases, in which it is truly third-party, the concern is? :) I must admit, I'm not sure it's immediately obvious to me.

@annevk
Copy link

annevk commented Apr 20, 2017

If Baz can be rogue without consequences it could create requests within the user's private network that browsers might not have been expected to make and therefore have unforeseen side effects on endpoints within that network. The theory being that browsers are only expected to make requests that fulfill SOP (meaning same-origin and whatever <img>, <form>, etc. can do).

It seems unlikely that any private network would be that naive that the only attacker can be the browser, but if we're not serious about holding that line I would be extremely curious to learn where the line is.

@sleevi
Copy link

sleevi commented Apr 20, 2017

@annevk With the exception of Firefox, the browser does not make these connections, the OS does. Much like, for example, interrogating some GPUs about their capabilities will result in a network fetch of DTDs for the XML specification baked into the driver (I wish I was joking).

But yes, such a name-constrained sub-CA can direct the requests at any particular endpoint. Even under a 'pessimistic' implementation (which no browser implements), which does not perform network fetches until it's verified the delegated authority (e.g. start with the root, check its CRLs for the intermediate, then check the intermediate's stated CRLs for baz, then check Baz's stated CRLs), it would still be fully possible for Baz to network requests (or file system loads; Edge uses CryptoAPI to verify certificates, which supports file:// URLs, which can then be directed to SMB hosts).

So while I understand that theory, I'm saying it's not been practiced, nor is it capable of being practiced under the current OS APIs, no more than extension APIs may make additional requests.

Sorry to hijack @estark37's bug for that discussion, but I think it's worthwhile to figure out where Expect-CT sits on that spectrum. I suspect it aligns with what you say, if only because the act of introducing a technically-constrained sub-CA which grants third-party loads (and not just second-party) is an act of delegation of sufficient complexity, while Expect-CT can be set by anyone. But it's also worth highlighting in case you wanted to confer with folks like @jcjones or @gerv on what the right implementation or policies, respectively, should exist around that. I'm not sure where that discussion should best take place :)

@estark37
Copy link
Collaborator

For Expect-CT reports, I think we have two options:

  1. Form-encode the reports.
  2. Send preflights. (In the Chrome implementation, this would probably mean sending report events out to the content/ layer to deal with CORS..?)

Anyone have thoughts? Both seem kind of gross to me. :(

@annevk
Copy link

annevk commented Apr 21, 2017

@sleevi I created whatwg/fetch#530 for OSCP specifically.

@estark37 a third option is that we extend SOP as we did when added CORS preflights (a new type of cross-origin request). However, I'd rather we find a way to stop doing that or find a better place to draw a line (sorry, not sure what that would look like). Every now then going "oops we extended SOP" is not principled enough for my taste and difficult for server operators to work with.

estark37 added a commit to httpwg/http-extensions that referenced this issue May 23, 2017
* Remove the confusing syntax for violation reports and just write what the keys
  and values are. (Fixes bifurcation/expect-ct#16
  though there still may be some better way to write this that I don't know
  about.)

* Remove dependencies on Fetch/HTML for "Sending a violation report". These
  dependencies don't belong in an HTTP spec. Instead, we just say that the UA
  should send a POST request, with a note that the UA might do more than simply
  send a POST request. If it's a browser, it should use Fetch and send CORS
  preflights for these requests, but we'll leave that up to the UA. Fixes
  bifurcation/expect-ct#6.

Note that the report format is remaining as JSON. The content-type is
`application/expect-ct-report`, so
bifurcation/expect-ct#18 is fixed as well.
@estark37
Copy link
Collaborator

After some pondering, I decided to leave this as JSON, with Content-Type application/expect-ct-report. I resolved the SOP issue from a spec perspective by saying that the UA should send a POST request to upload the report, and leaving it up to the UA to define what exactly is involved in sending the request (with a note that a UA that implements Fetch would end up sending a CORS preflight).

From an implementation perspective, sending CORS preflights in the Chrome impl is going to be tricky, so I'll still have to figure that out. I noticed that the Reporting API implementation doesn't actually appear to send CORS preflights, so I think CSP will still have this problem. (cc @mikewest @juliatuttle)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants