-
Notifications
You must be signed in to change notification settings - Fork 312
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clarify secure context requirements in Handle Fetch #890
Comments
It doesn't even make sense for "target client". The way things like window.open are specified for example the "noopener" flag isn't applied until after fetch has completed. And that noopener flag can be the difference between the target client being a secure context or not. But this is kind of the same issue I was trying to figure out for Link headers (how to specify that Link: rel=serviceworker headers should only be processed for top-level requests that will result in a secure context). I somehow didn't realize that we already have this problem with Handle Fetch. I don't think there is a way with the way the fetch, html and secure contexts spec are currently written to properly specify this. But it certainly seems likely a request will need access to both the client that initiated a request and the client that could possibly be created using the result of the request. |
Great catch. And ughhghghgh. Of course, a navigation to a secure origin with no means to communicate with the window that initiated the request should be considered secure. I'm grumpy about the Related, but won't work for us w3c/webappsec#517 |
Somewhat heretically proposing |
We may need an API to declaratively "disown" opener for all controlled pages. This would allow SW pages to work when linked to via |
Yeah, making opting into service workers not set the opener for the controlled globals might be nice. |
According to Mike West opener is used by oauth flows. Need to think about that. |
I'm not happy with a non HTTPS site to prevent part of the functionality of my site if this does not introduce an attack risk. Why iframing my site would prevent my SW from work? Is it to prevent abusing Cache API? If I'm missing something, I would prefer to nullify |
I believe it's to stop the non-secure origin getting data from powerful features by poseMessage-talking to the iframe. |
Pre F2F notes: I don't think any browser implements the |
Notice the non-secure origin can not get data this way, getting data is only possible if the safe origin decides to send that data via |
Right, but that's still what they're trying to prevent. Sites were avoiding going full-HTTPS by just having a single proxy-page on HTTPS and using postMessage to pass the data. |
Enforcing HTTPS usage because we want to force them to adopt HTTPS does not feel right, don't you think? Anyway, if the HTTPS proxy is mine, why not to simply use the secured domain for my app and, if it is anyone else property, why this person would want to collaborate with me? |
F2F:
|
Refining the above, seems like we should auto-disown opener for service worker controlled pages if opener is a non-secure context. |
|
See the summary in #890 (comment) Closing. |
Handle Fetch step 12.1 says this for non-subresource requests:
The client in this case is the window that initiated the request.
For some cases this makes sense. For example, a nested iframe making the request to load its document. This check should prevent an insecure parent document from creating a nested https iframe in order to postMessage() to the server. That's good.
It doesn't seem to make sense, though, for things like navigations. If I'm on http://foo.com and follow a link to https://bar.com, I should totally be able to get an intercepted and controlled https://bar.com.
Can we just use the concept of "reserved" or "target" Client here instead? I think maybe "target" client would be right. (Assuming an about:blank in a new tab would pass the secure context check by being a local url.)
The text was updated successfully, but these errors were encountered: