Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port blocking #229

Closed
ricea opened this issue Mar 18, 2021 · 6 comments · Fixed by #378
Closed

Port blocking #229

ricea opened this issue Mar 18, 2021 · 6 comments · Fixed by #378
Labels
Discuss at next meeting Flags an issue to be discussed at the next WG working Ready for PR
Milestone
Candidate Recomme...

Comments

@ricea
Copy link
Contributor

ricea commented Mar 18, 2021

We need to ensure that port blocking is applied to avoid security issues like the NAT Slipstreaming attack. This will probably be delegated to the Fetch standard, so this issue is just here to track it and make sure it isn't forgotten.
@yutakahirano
Copy link
Contributor

I'm sure that WebTransport people are happy with the current block list, but having an allow-list instead (whatwg/fetch#1189) can be concerning.

@yutakahirano yutakahirano added this to the No milestone milestone Jul 13, 2021
@jan-ivar jan-ivar mentioned this issue Nov 3, 2021
Closed
@annevk
Copy link
Member

annevk commented Nov 4, 2021

whatwg/fetch#889 has some thoughts on this. We probably need to distinguish between local and remote ports as well.

@DavidSchinazi DavidSchinazi mentioned this issue Nov 9, 2021
Closed
@jan-ivar jan-ivar added the Discuss at next meeting Flags an issue to be discussed at the next WG working label Nov 17, 2021
@jan-ivar
Copy link
Member

@yutakahirano What's our "current block list"? I couldn't find any reference to "port" or "ports" in this spec.

@ricea
Copy link
Contributor Author

ricea commented Nov 18, 2021

https://fetch.spec.whatwg.org/#port-blocking is what we're blocking in practice.

@jan-ivar
Copy link
Member

We probably should call that out in the spec explicitly.

@jan-ivar
Copy link
Member

Meeting:

  • Adam: Probably W3C's responsibility to track this, since IETF may have native implementations where port blocking is not an issue.
  • Marking ready for PR to add link to fetch spec per Port blocking #229 (comment)
  • As follow-up, push on Additions to "bad port list" for UDP due to HTTP/3 whatwg/fetch#1268 to possibly add a list to source ports as well to the block list that would be shared with WebTransport (more important for UDP/HTTP3 that we control the source port)
  • Might be worth sending a mail to IETF (WebTrans & QUIC?) mailing lists requesting clarity on where this belongs?

@jan-ivar jan-ivar mentioned this issue Nov 23, 2021
Closed
@ricea ricea mentioned this issue Nov 23, 2021
Open
@jan-ivar jan-ivar mentioned this issue Dec 6, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Discuss at next meeting Flags an issue to be discussed at the next WG working Ready for PR
Projects
None yet
Milestone
Candidate Recommendation
Development

Successfully merging a pull request may close this issue.

Block ports on fetch's bad ports list & use WebTransportError for it and CSP. jan-ivar/webtransport
4 participants
@annevk @jan-ivar @yutakahirano @ricea