Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict to (top-level site, embedded origin) keying (fixes #39) #123

Merged
merged 2 commits into from
Oct 13, 2022

Conversation

johannhof
Copy link
Member

@johannhof johannhof commented Oct 11, 2022

This is what Firefox ships and Chrome intends to ship, so it makes sense to align the spec. Some of our rationale for why we prefer origin as the embedded choice is outlined in #113.

These security concerns don't apply to top-level site and indeed we've seen compatibility cases in Firefox that justify keeping top-level site.

cc @arturjanc @cfredric

  • At least two implementers are interested (and none opposed):
    • Firefox is shipping this
    • Chrome plans to ship this
  • Tests are written and can be reviewed and commented upon at:
    • I'm not sure we have the infrastructure to test this but I'll investigate further before continuing this PR
  • Implementation bugs are filed:
    • Chromium: N/A
    • Gecko: N/A
    • WebKit: Not yet

Preview | Diff

)

This is what Firefox ships and Chrome intends to ship, so it makes sense
to align the spec. Some of our rationale for why we prefer origin as the
embedded choice is outlined in privacycg#113.

These security concerns don't apply to top-level site and indeed we've
seen compatibility cases in Firefox that justify keeping top-level site.
Copy link
Collaborator

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect this will clash with Ben's PR.

In principle it seems reasonable to try this. We might have to revisit this depending on the fallout of this and other decisions though.


<div class=example>

`(("https", "news.example"), ("https", "social.example"))` is a [=partitioned storage key=] whose [=top-level site=] is `("https", "news.example")` and whose [=embedded site=] is `("https", "social.example")`.
`(("https", "news.example"), ("https", "social.example"))` is a [=partitioned storage key=] whose [=top-level site=] is `("https", "news.example")` and whose [=embedded origin=] is `("https", "social.example", null, null)`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You would need to update the partitioned storage key itself as well I think as ("https", "social.example") is not a valid origin representation.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, thanks for catching that :)

@johannhof
Copy link
Member Author

Agreed that this seems worth revisiting depending on known fallout/breakage. It's also worth mentioning that per-frame (#122) storage access reduces the attack potential that we're trying to mitigate with this change.

@annevk
Copy link
Collaborator

annevk commented Oct 11, 2022

So one thing that we should try to do before we land this is to have adequate testing for this. Trying to use https://whatwg.org/working-mode#changes as we make changes will make our lives a lot easier as we eventually migrate this document.

@johannhof
Copy link
Member Author

Hmm that's a good point, though testing infra for SAA is a bit needing and so we'd have to evaluate this on a case-by-case basis, I think. We should invest more in better infra after deciding on #122.

Should we have a checklist for those things on new PRs?

@johannhof
Copy link
Member Author

Retroactively filled out the checklist in the initial comment, @annevk does it make sense to file a bug about this with WebKit?

@annevk
Copy link
Collaborator

annevk commented Oct 12, 2022

If you can construct a test that WebKit fails, yes.

@johannhof
Copy link
Member Author

So, yeah, having looked further into this I'm pretty sure that we can't test this through WPT right now. The test_driver.set_permission command for storage-access seems to fail in all browsers, so it doesn't seem possible to actually grant storage access in WPT.

@johannhof johannhof merged commit c7abefa into privacycg:main Oct 13, 2022
@johannhof johannhof deleted the site-origin branch October 13, 2022 14:27
@annevk
Copy link
Collaborator

annevk commented Oct 13, 2022

Well, we could add manual tests and automate those later.

@Brandr0id
Copy link
Member

@johannhof I believe the set_permission command should be working in Chrome/Edge impls when running the WPT tests as part of a Chromium enlistment. Looking at the public webdriver test runs you linked the error seems to be coming from that WebDriver instance hitting a different permissions path and throwing the descriptor error vs how it is hooked up and run via blink web tests for all WPT test instances (where it succeeds). That seems more like a potential impl bug vs a test blocker in this case.

FWIW there was some work done to the WebDriver spec a while back to help support testability of this spec: w3c/webdriver#1437

Including the addition of a set_storage_access API in testdriver (impl'd in Chromium) to allow us to set storage access (e.g. blocked) then verify the API will unblock access. example usage: https://github.com/web-platform-tests/wpt/blob/master/storage-access-api/storageAccess.testdriver.sub.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants