From 799464dd787f06de8b53f120b12adafdb75e1c0e Mon Sep 17 00:00:00 2001 From: Johann Hofmann Date: Tue, 26 Sep 2023 21:44:29 +0000 Subject: [PATCH 1/3] [Cookie Layering] WIP Requests --- fetch.bs | 99 +++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 81 insertions(+), 18 deletions(-) diff --git a/fetch.bs b/fetch.bs index 7d7f4d920..60fcc94d1 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3268,6 +3268,86 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in

HTTP extensions

+ + +

The `Cookie` +request header allows the request to carry locally stored state, such as user credentials. +

+

To append a request `Cookie` header, +given a request request, run these steps: +

    +

  1. Let |sameSite| be the result of [=determining the same-site mode=] for request. +

  2. Let |secure| be false. +

  3. If request's current URL's scheme is "https", then set |secure| to true. +

    Note that this doesn't use the arguably superior definition of [=secure context=] +

  4. Let |httpOnly| be true. +

    Fetch implies that the request is http-only, as opposed to document.cookie +

  5. Let |partitionKey| be the result of [=computing the cookie partition key=] for request. +

  6. Let |partitionedContext| be the result of [=determining the partitioned context state=] for |request|. +

  7. Let |cookies| be the result of [=getting the sorted list of cookies=] given request's current URL's host, request's current URL's path, |secure|, |httpOnly|, |sameSite|, |partitionKey|, |partitionedContext|. + +

    It is expected that the cookie store returns an ordered list of cookies +

  8. If |cookies| is empty, then return. +
  9. Let |value| be the result of [=serializing a cookie list=] given |cookies|. +
  10. Append (`Cookie`, value) to request's header list. +
+
+ +
+

To determine the same-site mode for a given request request, run these steps: +

    +

  1. If request's client's has cross-site ancestor is false, return "None". +

    TODO: This refers to the cross-site ancestor flag added in https://github.com/whatwg/html/pull/8036 +

  2. Let topLevelOrigin be environment's top-level origin. +

  3. ... +

    TODO: Formalize what's written up in https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-strict-and-lax-enforcement here +

  4. Profit! +

+
+ +
+

To compute the cookie partition key for a given request request, run these steps: +

See https://dcthetall.github.io/CHIPS-spec/draft-cutler-httpbis-partitioned-cookies.html#name-computing-the-cookie-partit +

    +

  1. Let topLevelOrigin be environment's + top-level origin. + +

  2. Let topLevelSite be the result of obtaining a site, + given topLevelOrigin. + +

  3. +

    Let crossSiteAncestors be request's client's has cross-site ancestor. +

    This will need to be decided in https://github.com/privacycg/CHIPS/issues/40 + +

  4. Return (topLevelSite, crossSiteAncestors). +

+
+ +
+

To determine the partitioned context state for a given request request, run these steps: +

    +

  1. If request's client's has cross-site ancestor is false, return false. +

    TODO: This refers to the cross-site ancestor flag added in https://github.com/whatwg/html/pull/8036 +

  2. If request's client's [=environment/has storage access=] is true, return false. +

    TODO: This refers to the flag added in https://privacycg.github.io/storage-access/#environment-has-storage-access +

  3. Return true. +

+
+ +
+

To get the sorted list of cookies for a given request request, run these steps: +

    +

    TODO: We have to define this interface in 6265bis +

+
+ +
+

To serialize a cookie list for a given request request, run these steps: +

    +

    TODO: We have to define this interface in 6265bis +

+
+

`Origin` header

The `Origin` @@ -5637,24 +5717,7 @@ run these steps: HTTP header layer division for more details.

  • -

    If includeCredentials is true, then: - -

      -
    1. -

      If the user agent is not configured to block cookies for httpRequest (see - section 7 of - [[!COOKIES]]), then: - -

        -

      1. Let cookies be the result of running the "cookie-string" algorithm (see - section 5.4 of - [[!COOKIES]]) with the user agent's cookie store and httpRequest's - current URL. - -

      2. If cookies is not the empty string, then append - (`Cookie`, cookies) to httpRequest's - header list. -
      +

      If includeCredentials is true, append a request `Cookie` header for httpRequest.

    2. If httpRequest's header list From 03569cc80a18ccdc9b276b1aa3c43e327fd7573c Mon Sep 17 00:00:00 2001 From: Johann Hofmann Date: Thu, 18 Apr 2024 11:57:59 +0000 Subject: [PATCH 2/3] Compute same-site status --- fetch.bs | 88 +++++++++++++++++++++++++++++++++----------------------- 1 file changed, 52 insertions(+), 36 deletions(-) diff --git a/fetch.bs b/fetch.bs index 0ac89307e..3fdef56ce 100644 --- a/fetch.bs +++ b/fetch.bs @@ -40,6 +40,10 @@ urlPrefix:https://httpwg.org/specs/rfc9111.html#;type:dfn;spec:http-caching urlPrefix:https://httpwg.org/specs/rfc9112.html#;type:dfn;spec:http1 url:status.line;text:reason-phrase +urlPrefix:https://https://html-preview.github.io/?url=https://raw.githubusercontent.com/johannhof/http-extensions/gh-pages/draft-ietf-httpbis-rfc6265bis.html#;type:dfn;spec:cookies + url:name-serialize-cookies;text:serialize cookies + url:name-retrieve-cookies;text:retrieve cookies + url:https://w3c.github.io/resource-timing/#dfn-mark-resource-timing;text:mark resource timing;type:dfn;spec:resource-timing urlPrefix:https://w3c.github.io/hr-time/#;spec:hr-time @@ -53,10 +57,20 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262 url:realm;text:realm url:sec-list-and-record-specification-type;text:Record url:current-realm;text:current realm + +spec: storage-access; urlPrefix: https://privacycg.github.io/storage-access + type: dfn + for: environment + text: has storage access; url: #environment-has-storage-access 

       {
+    "COOKIES": {
+        "authors": ["Johann Hofmann", "Anne Van Kesteren"],
+        "href": "https://html-preview.github.io/?url=https://raw.githubusercontent.com/johannhof/http-extensions/gh-pages/draft-ietf-httpbis-rfc6265bis.html#name-retrieve-cookies",
+        "title": "Cookies: HTTP State Management Mechanism"
+    },
     "HTTP": {
         "aliasOf": "RFC9110"
     },
@@ -2222,9 +2236,8 @@ or "object".
 
      
 
 
      
-
      A request request has a
-redirect-tainted origin if these steps
-return true:
+
      To get request request's
+redirect-taint:
 
 
        
  
      1. Let lastURL be null.
@@ -2236,23 +2249,26 @@ return true:
    
      2. If lastURL is null, then set lastURL to url and
    continue.
 
+   
      3. If url's origin is not same site with
+   lastURL's origin and request's origin is
+   not same site with lastURL's origin, then return "Cross-Site".
+
    
      4. If url's origin is not same origin with
    lastURL's origin and request's origin is
-   not same origin with lastURL's origin, then return true.
+   not same origin with lastURL's origin, then return "Same-Site-Cross-Origin".
 
    
      5. Set lastURL to url.
   
      
 
- 
    3. Return false.
+ 
    4. Return "None".
    -

    Serializing a request origin, given a request request, is to run these steps:

      -

    1. If request has a redirect-tainted origin, then return +

    2. If request's redirect-taint is not "None", then return "null".

    3. Return request's origin, @@ -2358,8 +2374,8 @@ source of security bugs. Please seek security review for features that deal with "credentialless", then return true.

    4. If request's origin is same origin with - request's current URL's origin and request - does not have a redirect-tainted origin, then return true.

      + request's current URL's origin and request's + redirect-taint is not "None", then return true.

    5. Return false.

    @@ -2475,6 +2491,8 @@ this is also tracked internally using the request's timing allow

    A response has an associated has-cross-origin-redirects (a boolean), which is initially false. +

    A response has an associated has-cross-site-redirects +(a boolean), which is initially false.

    A network error is a response whose @@ -3284,18 +3302,25 @@ request header allows the request to carry locally stored state, su given a request request, run these steps:

    1. Let |sameSite| be the result of [=determining the same-site mode=] for request. -

    2. Let |secure| be false. -

    3. If request's current URL's scheme is "https", then set |secure| to true. +

    4. Let |isSecure| be false. +

    5. If request's current URL's scheme is "https", then set |isSecure| to true.

      Note that this doesn't use the arguably superior definition of [=secure context=] -

    6. Let |httpOnly| be true. +

    7. Let |httpOnlyAllowed| be true.

      Fetch implies that the request is http-only, as opposed to document.cookie

    8. Let |partitionKey| be the result of [=computing the cookie partition key=] for request.

    9. Let |partitionedContext| be the result of [=determining the partitioned context state=] for |request|. -

    10. Let |cookies| be the result of [=getting the sorted list of cookies=] given request's current URL's host, request's current URL's path, |secure|, |httpOnly|, |sameSite|, |partitionKey|, |partitionedContext|. +

    11. Let |cookies| be the result of running retrieve cookies given + |isSecure|, + request's current URL's host, + request's current URL's path, + |httpOnlyAllowed|, + |sameSite|, + |partitionKey| + and |partitionedContext|.

      It is expected that the cookie store returns an ordered list of cookies

    12. If |cookies| is empty, then return. -
    13. Let |value| be the result of [=serializing a cookie list=] given |cookies|. +
    14. Let |value| be the result of running serialize cookies given |cookies|.
    15. Append (`Cookie`, value) to request's header list.
    @@ -3303,12 +3328,15 @@ given a request request, run these steps:

    To determine the same-site mode for a given request request, run these steps:

      -

    1. If request's client's has cross-site ancestor is false, return "None". +

    2. Assert: request's method is "GET" or "POST". +

    3. If request's method is "GET" and + request's destination is "document", return "LaxOrLess". +

      TODO: This needs to describe Lax-Allowing-Unsafe quirks +

    4. If request's client's has cross-site ancestor is true, return "None".

      TODO: This refers to the cross-site ancestor flag added in https://github.com/whatwg/html/pull/8036 -

    5. Let topLevelOrigin be environment's top-level origin. -

    6. ... -

      TODO: Formalize what's written up in https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-strict-and-lax-enforcement here -

    7. Profit! +

    8. If request's redirect-taint is "Cross-Site", return "None". +

      Should we default to "UnsetOrLess" in place of "None", i.e. is "None" or "Lax" the default for us? +

    9. Return "StrictOrLess".

    @@ -3316,7 +3344,7 @@ given a request request, run these steps:

    To compute the cookie partition key for a given request request, run these steps:

    See https://dcthetall.github.io/CHIPS-spec/draft-cutler-httpbis-partitioned-cookies.html#name-computing-the-cookie-partit

      -

    1. Let topLevelOrigin be environment's +

    2. Let topLevelOrigin be request's client's top-level origin.

    3. Let topLevelSite be the result of obtaining a site, @@ -3324,7 +3352,6 @@ given a request request, run these steps:

    4. Let crossSiteAncestors be request's client's has cross-site ancestor. -

      This will need to be decided in https://github.com/privacycg/CHIPS/issues/40

    5. Return (topLevelSite, crossSiteAncestors).

    @@ -3341,20 +3368,6 @@ given a request request, run these steps: -
    -

    To get the sorted list of cookies for a given request request, run these steps: -

      -

      TODO: We have to define this interface in 6265bis -

    -
    - -
    -

    To serialize a cookie list for a given request request, run these steps: -

      -

      TODO: We have to define this interface in 6265bis -

    -
    -

    `Origin` header

    The `Origin` @@ -4732,9 +4745,12 @@ steps: -

  • If request has a redirect-tainted origin, then set +

  • If request's redirect-taint is not "None", then set internalResponse's has-cross-origin-redirects to true. +

  • If request's redirect-taint is "Cross-Site", then set + internalResponse's has-cross-site-redirects to true. +

  • If request's timing allow failed flag is unset, then set internalResponse's timing allow passed flag. From ca6f442ee7f8e8f9f4d830c69e694fc80d5dabf1 Mon Sep 17 00:00:00 2001 From: Johann Hofmann Date: Thu, 18 Apr 2024 12:19:33 +0000 Subject: [PATCH 3/3] Fix missing closing tag --- fetch.bs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 3fdef56ce..aa99277df 100644 --- a/fetch.bs +++ b/fetch.bs @@ -5747,7 +5747,9 @@ run these steps: HTTP header layer division for more details.

  • -

    If includeCredentials is true, append a request `Cookie` header for httpRequest. +

    If includeCredentials is true, then: +

      +

    1. Append a request `Cookie` header for httpRequest.

    2. If httpRequest's header list