-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is the "security policy" for adding new events and elements to the Web Platform? #6185
Comments
IMO, it will be hard to have this discussion without more/better examples. The policy being discussed, and which I attempted to articulate in the other thread about declarative shadow DOM, is simply stated: "ensure 100% backwards compatibility with any sanitizer that works today or could work today in principle, no matter how oddly constructed." I think it's clearer when we give these things names, and I would propose to call this policy "No Sanitizer Left Behind," NSLB. NSLB stands in contrast with another rule which I think is much closer to the rule we actually follow on the web: "ensure 100% backwards compatibility with any reasonable sanitizer, and certainly with any sanitizer in widespread use today." Let's call that "No Good Sanitizer Left Behind," NGSLB, in opposition to NSLB. In the declarative shadow DOM thread, I argued that On the other hand, NGSLB would probably allow I say "probably" because NGSLB requires us to look at actual data. What do real sanitizers actually do? Do they refuse to sanitize templates? Do they strip all attributes starting with NSLB doesn't forbid as much as you'd thinkIn your statement at the top of this thread, you give three other examples of what you thought NSLB would forbid:
I don't think I agree with two of these examples. I think 2 would actually be allowed under NSLB, and 1 might be as well; 3 would be forbidden, but that's probably good, actually. New HTML Elements would be allowed under NSLBI think new HTML elements are not strictly forbidden by NSLB, because Declarative custom elements might be allowed, too… without shadow DOMIf you look at the explainer for declarative custom elements, it's basically just declarative shadow DOM wrapped in a new Which is to say, declarative custom elements might well depend on declarative shadow DOM, and declarative shadow DOM in its currently spec'd implementation ( Declarative custom elements don't violate NSLB except by using declarative shadow DOM, and if for some reason we thought it made sense to ship declarative custom elements without declarative shadow DOM, I can foresee no NSLB problems with that. New HTML events (
|
Where there is a trade-off between new features and security: From the side bench: 1. Outdated user agents must NOT be considered at all.Reason: Otherwise there will not be stable progress. Explanation: Existing obsoleteware is foremost the fault of the 4 big vendors as they don't force the software to be updated xor uninstalled (after a grace period of not updating such as 3 months) by default. Second to that it is the responsbility of the user. Example: If I use dual-wire-electricity it is not the fault of a lamp producer if I hurt myself in case the lamp comes with all the security feautres that are recent. On forced updates XOR disables: This is tough especially on microsoft and apple as they are required to disable Internet Explorer / Edge and Safari on old versions, also on their mobile devices. There should be ways to re-enable (users should have control) but it should not be the default. 2. User privacy is the most relevant security feature and stands above all.Reason: Users need to feel save and trust the platform, otherwise they will move to walled gardens and closed gateways (despite that there, tracking happens too, but it is out of reach of the users to even realize/decide). Explanation: Evercookie, fingerprinting, cookies, retargeting, detection of user agents though hardware architecture etc. is NOT what users want. As at least one big vendor is big into ads, this policy will be hard to push through, yet the most important. This feature is the most important and only diminished by outdated client side software (see rule 1). 3. New/added technology should not add new - more or less implementation independent - attack vectors.Bad examples: This for instance has been ignored when introducing canvas, webgl and possibly webasm regarding fingerprinting Thus if say shadow dom introduces such vectors, then it is a problem. I cannot judge if streaming shadow doms would do that, but in case it would, that's a problem (see rule 2). 4. Prevalent outdated server software should be considered but not prioritized.Say outdated or badly written software (versions) such as load balancers, proxies, apache/nginx, php, fpm, node, wordpress, sanitizers should be considered but ultimately disregarded if there is no easy upgrade path respecting issues. Reason: Web standards are not responsible for bad citizins. They are however responsible for making sure the technology itself is no threat to security (see rule 3). This for instance has been ignored when introducing canvas, webgl and possibly webasm. |
@dfabulich thanks for the entertaining post, and the (better?) names for the two cases here. I agree with your points, mostly. You're right that new HTML elements, because of HTMLUnknownElement, should be ok to add. But new events, which come with "on*" content attributes, aren't. And as you rightly point out, we're adding new events all the time. I'm wondering if this issue has come up on the various threads discussing the APIs adding new events. (E.g. Picture-in-Picture, WebXR, Web Bluetooth, etc.) From a quick search, it doesn't look like this issue has been brought up at all elsewhere. But perhaps I missed it. If so, I'm wondering what the mitigation was. It was probably clear from my OP, but I'm definitely in the NGSLB camp. Blocking forward progress on a purely-hypothetical situation seems like not the right trade off here. Of course, if there's a real issue on real sites today, let's make sure we address it. |
Can the feature be used to bypass a safelist-based sanitizer (https://github.com/WICG/sanitizer-api might help making that concrete) is probably the bar, but it will also always depend. (Maybe this should move to whatwg/html?) |
I think I agree with that bar - safelist-based sanitizers should continue to be safe. And I believe they are here, as the "shadowroot" attribute will not be on existing safelists. The main "worry" on this thread seems to be denylist-based sanitizers, which don't seem to be future proof or secure on their own. I agree that this should probably be on whatwg/html - I don't think I have permission to move it. Do you? |
In whatwg/dom#831, there is a discussion about whether it is ok to add new html elements and/or attributes to the platform, if those additions could enable scripts to run. The issue/position put forth (e.g. here and here) is that it is possible for a site to configure an HTML sanitizer such that:
If that situation is possible, then the conclusion (again, as presented here and here) is that we either must:
If this is the "policy", it would seem to preclude several new features being proposed:
This logically follows, since it is possible to construct a sanitizer that uses a deny-list, and constructs that deny list using only the element/attribute combinations available at a given point in time. Any new elements or attributes, even if they are "dangerous", would not be present in the deny list, and would therefore be allowed through this sanitizer.
Should this be the "policy" for the web platform?
One alternative viewpoint would be that we should instead work to guard against this situation:
There are several comments on whatwg/dom#831 that appear to be supportive of this alternative way to think about risk mitigation (e.g. this, this, this, and (I think) this). The difficulty, of course, becomes defining "well configured" sanitizers. This is not an easy job, and likely requires some judgement calls to be made, and data to be gathered. A few categories of sanitizer could potentially be pre-defined as "not well configured", e.g. those using fixed deny-lists. While this "policy" is a bit harder to define, it does seem to re-open the possibility of adding new elements and attributes to the web platform.
The text was updated successfully, but these errors were encountered: