Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The editor's draft includes several features that no one has shipped. #563

Open
mikewest opened this issue Sep 15, 2022 · 13 comments
Open

The editor's draft includes several features that no one has shipped. #563

mikewest opened this issue Sep 15, 2022 · 13 comments

Comments

@mikewest
Copy link
Member

As @domenic noted in our meeting at TPAC, a few features exist in the editor's draft that aren't shipped anywhere, and don't have substantial agreement. We should remove them to avoid confusion.
mikewest added a commit that referenced this issue Sep 15, 2022
@mikewest
Remove navigate-to.
26c3bde 
Though there's an implementation of this directive behind a flag in
Chromium, it's not something that any vendor has shipped, and there
are real concerns about information leaks that it enables. This
patch removes it from the spec to avoid confusion while we determine
what, if anything, we want to do in this space.

Partially addresses #563.
@mikewest mikewest mentioned this issue Sep 15, 2022
Merged
@mikewest
Copy link
Member Author

The three that come to mind are navigate-to (which we should clearly remove), webrtc and prefetch-src. I don't know of any implementation activity around the former. The latter is implemented in Chromium, and seems like it might be uncontrovercial (modulo concerns about how prefetch generally is specified).

#564 removes navigate-to. We should either collectively decide to ship the latter two, or I'll put patches up to remove them as well.

mikewest added a commit that referenced this issue Sep 16, 2022
@mikewest
Remove navigate-to. (#564)
5f6b45a 
Though there's an implementation of this directive behind a flag in
Chromium, it's not something that any vendor has shipped, and there
are real concerns about information leaks that it enables. This
patch removes it from the spec to avoid confusion while we determine
what, if anything, we want to do in this space.

Partially addresses #563.
@mikewest
Copy link
Member Author

@domenic (and @annevk, who also expressed concerns about this at TPAC): Is this the set of unshipped things you were pointing to, or are there others I missed?

Given your interest in prefetch-src (and related bits like DNS/preconnect), would you prefer we drop it to work out your concerns around the spec, or keep/improve it (which I think @noamr and/or @yoavweiss were looking into)?

Same question for WebRTC. It would be ideal to understand what WebKit (@annevk?) and Mozilla (@ckerschb? @dveditz?) would like to do here.

@annevk
Copy link
Member

annevk commented Sep 16, 2022

WebRTC support was a very recent addition. I think we should give that a bit more time to gain traction.

(The concern I expressed at TPAC is that there are many open issues still, of which there's several that I know to be substantive.)

@mikewest
Copy link
Member Author

WebRTC support was a very recent addition. I think we should give that a bit more time to gain traction.

Ok, thanks.

(The concern I expressed at TPAC is that there are many open issues still, of which there's several that I know to be substantive.)

Yup. I heard that.

@yoavweiss
Copy link
Contributor

@noamr made some progress on specifying prefetch's processing model, and I can see how prefetch-src can be better defined as part of that. At the same time, I wouldn't expect a ton of progress on that front in the next few months, as he's on leave.

@noamr
Copy link
Contributor

noamr commented Sep 21, 2022

The current spec PR doesn't change the meaning of prefetch-src, which is already defined in fetch. I think though that if it's not implemented, we should not implement it and instead do this - make it so that resource hints (prefetch/dns-prefetch/preconnect) fall back to the least restrictive matching directive in the policy, without introducing a new directive for them.

@domenic
Copy link
Contributor

domenic commented Sep 27, 2022

That list seems good to me!

Very excited to see the removal of navigate-to. The amount of mental energy I've spent trying to figure out how that integrates with various features I work on has been... high.

prefetch-src would probably benefit from some clarification as to what WebAppsSec would like it to apply to. In particular, there are many different technologies under the "pre-" name:

  • <link rel=dns-prefetch>
  • <link rel=preconnect>
  • <link rel=preload> (a way of loading subresources into a per-document memory cache)
  • <link rel=prefetch> (not fully specced, but slated to become a way of priming the current HTTP cache partition with either a subresource or a navigational resource, potentially for future same-partition navigations)
  • <link rel=prerender> (not specced at all; Chrome-only; there it does some sort of partition-violating prefetch-with-subresources of a navigational resource)
  • Speculation rules prefetch/prerender (targeted at navigational document resources and their subresources, with partition-respecting semantics)

Our conservative approach so far has been to lump all of these under the control of prefetch-src, I believe. But this is not principled. And it might be better to do something totally different, at least for the subresource cases, as @noamr points out. Or, we might want to split it up into multiple features, or give it a more generic name so that people realize it applies to more than just <link rel=prefetch>...

But overall, to tell what the right path is, I think we need some background on what people want to use it for, and why it was introduced. If you have that handy, I'd love to read up.

@mikewest
Copy link
Member Author

#107 was the original discussion around prefetch-src.

At a high level, folks expect CSP to give them control over requests that a given page initiates, with the goal of preventing unexpected/unwanted data exfiltration. That's not an unreasonable expectation, but not one that CSP meets today.

@noamr
Copy link
Contributor

noamr commented Sep 27, 2022

That list seems good to me!

Very excited to see the removal of navigate-to. The amount of mental energy I've spent trying to figure out how that integrates with various features I work on has been... high.

prefetch-src would probably benefit from some clarification as to what WebAppsSec would like it to apply to. In particular, there are many different technologies under the "pre-" name:

  • <link rel=dns-prefetch>
  • <link rel=preconnect>
  • <link rel=preload> (a way of loading subresources into a per-document memory cache)
  • <link rel=prefetch> (not fully specced, but slated to become a way of priming the current HTTP cache partition with either a subresource or a navigational resource, potentially for future same-partition navigations)
  • <link rel=prerender> (not specced at all; Chrome-only; there it does some sort of partition-violating prefetch-with-subresources of a navigational resource)
  • Speculation rules prefetch/prerender (targeted at navigational document resources and their subresources, with partition-respecting semantics)

Our conservative approach so far has been to lump all of these under the control of prefetch-src, I believe. But this is not principled. And it might be better to do something totally different, at least for the subresource cases, as @noamr points out. Or, we might want to split it up into multiple features, or give it a more generic name so that people realize it applies to more than just <link rel=prefetch>...

But overall, to tell what the right path is, I think we need some background on what people want to use it for, and why it was introduced. If you have that handy, I'd love to read up.

I addressed the above cases in #542.
The idea is that for regular subresources we already have the type-specific CSPs, and for resource hints (prefetch, preconnecy, dns-prefeth) the thing we want to prevent is exfiltration, and the least-restrictive policy would suffice for that without introducing a custom prefetch-src.

@dveditz
Copy link
Member

dveditz commented Oct 11, 2022

Speaking up to add a Mozilla voice, but I strongly agree with Anne that webrtc should be dropped until there's more discussion around it. A binary on/off switch seems to fit better with Permission Policy or Document Policy, and I worry adding it to CSP opens the doors to adding all kinds of other feature switches to CSP.

We're also happy to see navigate-to and prefetch-src removed for now so that we can get a published working draft that aligns better with what multiple browsers have shipped or are actively working on shipping.

@annevk
Copy link
Member

annevk commented Oct 12, 2022

Note that I was opposed to dropping webrtc. In part because it largely seemed like a volunteer effort that over a significant amount of time managed to get agreement between implementers and got them converged on a solution. It's worth looking at the various PRs involved to see how much effort went into it.

@domenic domenic mentioned this issue Oct 23, 2022
Closed
@eligrey
Copy link
Member

eligrey commented Nov 2, 2022
edited
Loading

Can someone link to the security-related rationale behind navigate-to's removal? It appears that the Navigation API is capable of handling the use cases addressed with navigate-to and doesn't have any associated security issues preventing its use for navigation egress control.

@noamr
Copy link
Contributor

noamr commented Dec 19, 2022

See #582 for a prefetch-src alternative.

@benatkin benatkin mentioned this issue Aug 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mikewest @eligrey @noamr @domenic @yoavweiss @dveditz @annevk