Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent cross document access via policy #4435

Open
dtapuska opened this issue Mar 18, 2019 · 7 comments · May be fixed by #4606
Open

Prevent cross document access via policy #4435

dtapuska opened this issue Mar 18, 2019 · 7 comments · May be fixed by #4606

Comments

@dtapuska
Copy link
Contributor

Consider adding a policy to prevent same origin cross document access.
See: https://github.com/dtapuska/documentaccess as an alternate for issue 2757.

@annevk @bzbarsky
@annevk
Copy link
Member

annevk commented Mar 19, 2019
edited
Loading

I like the general idea, but I wonder what boundary we are looking for. E.g., if we want these documents to (potentially) end up in different processes, the isolation needs to be at a different level (the agent cluster key) as otherwise there would still be shared memory between these documents, for instance.

And as these "window" agent clusters really belong to the browsing context group, this seems like the kind of thing to decide when the browsing context group is created.

@dtapuska
Copy link
Contributor Author

I'm not thinking strictly about enforcing process isolation. More like I want to embed this content and it really doesn't have to interact with my content so let me limit the scope I expose to it. So I don't think it necessarily ties into the agent cluster key.

ie. having two documents directly scriptable probably isn't widely used and it should be easy to opt out of it.

@annevk
Copy link
Member

annevk commented Mar 20, 2019

Unless we also provide the ability for UAs to optionally process-isolate them it's not entirely clear to me it's worth it. Otherwise they can still (accidentally) share memory via SharedArrayBuffer and affect each other's execution flow.

@dtapuska
Copy link
Contributor Author

I think these are good points. I probably want to make the definition of the js bindings dependent on the agent cluster key and then adjust the agent cluster key based on the feature policy. Is that what you were thinking?

@annevk
Copy link
Member

annevk commented Mar 21, 2019

Yeah, other things to resolve:

  1. Should this be per-origin or per-document.
  2. Should you be able to enforce this same-site, but cross-origin.
  3. How does this affect further embedded or auxiliary browsing contexts' documents. (If they use the normal key again they would have same-origin access, destroying the encapsulation, which makes me think this needs to be decided at browsing context group creation or per-origin, but there might be further alternatives. I didn't consider this too long.)

And then depending on the resolutions to those there's more, I suspect.

@dtapuska
Copy link
Contributor Author

Are not all your points addressed how feature policies work? If set on an iframe it is on the container policy, otherwise documents can opt into it via the header.

@annevk
Copy link
Member

annevk commented Mar 23, 2019

I don't understand how I'm afraid.

dtapuska added a commit to dtapuska/html that referenced this issue May 9, 2019
@dtapuska
Add a document-access feature policy to prevent access from one
d22ada2 
document to another.

Add steps in the IsPlatformObjectSameOrigin to force checks if the
two documents do not share the same agent and thus cannot share memory
because they would be in different agent clusters.

Fixes whatwg#4435
@dtapuska dtapuska linked a pull request May 9, 2019 that will close this issue
Open
3 tasks
dtapuska added a commit to dtapuska/html that referenced this issue Jul 29, 2019
@dtapuska
Add a document-access feature policy to prevent access from one
94b8f7a 
document to another.

Add steps in the IsPlatformObjectSameOrigin to force checks if the
two documents do not share the same agent and thus cannot share memory
because they would be in different agent clusters.

Fixes whatwg#4435
dtapuska added a commit to dtapuska/html that referenced this issue Feb 11, 2020
@dtapuska
Add a disallowdocumentaccess iframe attribute to prevent access from one
3bf6272 
document to another.

Add steps that cause a newly created browsing context group at the iframe
boundary.

Fixes whatwg#4435
dtapuska added a commit to dtapuska/html that referenced this issue Feb 11, 2020
@dtapuska
Add a disallowdocumentaccess iframe attribute to prevent access from one
8700908 
document to another.

Add steps that cause a newly created browsing context group at the iframe
boundary.

Fixes whatwg#4435
dtapuska added a commit to dtapuska/html that referenced this issue Sep 17, 2020
@dtapuska
Add a disallowdocumentaccess iframe attribute to prevent access from one
118ca66 
document to another.

Add steps that cause a newly created browsing context group at the iframe
boundary.

Fixes whatwg#4435
@dvoytenko dvoytenko mentioned this issue Oct 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@annevk @dtapuska