Consider requiring feature policy for SharedArrayBuffer in cross-origin frames #5435
Comments
domenic
added
security/privacy
|
/cc @annevk |
|
I think in principle this is reasonable, especially if we expect process isolation to continue to be infeasible on certain platforms. This will require a lot of new tests. I don't think we should allow this to create a place where the SharedArrayBuffer constructor is not hidden, but It's also a bit weird that permission delegation is not per agent, so you could end up with globals within a single agent disagreeing on whether they have access to cross-origin isolated features. That's probably okay. I tried to think a bit what kind of changes I would make to #4734:
And we'd use the cross-origin isolated capability for timers and such. (Nobody tried to tackle cross-origin isolated timers yet I believe. Perhaps it should wait if this is happening.) I'm not sure I want to commit to Firefox not shipping before all this is done and implemented. Not sure how tenable that is given the status quo. It would be doable to follow though. Hope that's understandable. |
|
If you were to use |
I agree that it is surprising and I prefer ignoring the policy for the same-origin case. |
|
I'm not sure that Feature Policy allows for that. And in fact, the header variant would allow you to disable the cross-origin isolated permission for a top-level context as well and I think we should not deviate from that. What we could do though is that the availability of SharedArrayBuffer depends on cross-origin isolated rather than the cross-origin isolated permission. And that only cc @clelland |
|
How about "other potentially process-wide features (like the memory measurement API, or maybe precise performance.now())"? |
|
Well, I got the impression you all were proposing to gate those similarly? In Firefox I think we have a global available for most timers so it would be doable implementation-wise. Hiding |
|
Let me make sure. Are the followings your preference?
|
|
Yes, except I was thinking 4 would depend on both as well (that's what I meant with capability above) as you want that for feature testing postMessage(). Having said that, I'm pretty flexible here. |
|
I agree that exposing cross-origin isolated [concept] && cross-origin isolated permission [concept] as crossOriginIsolated is better, given the original motivation. |
If you mean that Re: globals having different members; we originally specced Feature Policy to expose JS symbols (or not) depending on policy, but ended up never shipping a policy like that, as it always seemed better to just switch behaviour -- have window.sharedArrayBuffer fail or throw, rather than just not exist. |
|
Thank you for the clarification, I now understand the consistency in the Permissions Policy is more important. |
|
I'm implementing the permission at https://chromium-review.googlesource.com/c/chromium/src/+/2247940. I'm not shipping the feature so I can change the name later, but I'd like to get your opinions before landing the change. @domenic, @annevk, are you both fine with the name "cross-origin-isolated" as the permission name? Of course opinions from other people are welcome too. |
|
I'm fine with it. It's not perfect (it's a weird name for a "permission") but it's probably better than creating some new term. |
|
I have a hard time coming up with a better name, but I also already liked reusing this term for this, so yes, I'm fine. |
|
Thank you! |
A top-level navigation response with Cross-Origin-Opener-Policy set to same-origin and Cross-Origin-Embedder-Policy set to require-corp will create a cross-origin isolated browsing context group. And all agent clusters therein will be cross-origin isolated as well (shared and service workers can still not be, as they sit on the side). This change also: * Gates SharedArrayBuffer exposure behind that primitive for web compatibility reasons. * Gates SharedArrayBuffer sharing behind that primitive. * Exposes it through self.crossOriginIsolated. * Makes document.domain return before it mutates the origin. * Makes agent clusters keyed on origin. Tests: * web-platform-tests/wpt#17719 * web-platform-tests/wpt#17760 * web-platform-tests/wpt#17761 * web-platform-tests/wpt#17802 * web-platform-tests/wpt#17909 * web-platform-tests/wpt#18543 * web-platform-tests/wpt#20116 * web-platform-tests/wpt#22358 Closes #4732. Closes #5122. Closes #5444. Follow-up: #5435.
A top-level navigation response with Cross-Origin-Opener-Policy set to same-origin and Cross-Origin-Embedder-Policy set to require-corp will create a cross-origin isolated browsing context group. And all agent clusters therein will be cross-origin isolated as well (shared and service workers can still not be, as they sit on the side). This change also: * Gates SharedArrayBuffer exposure behind that primitive for web compatibility reasons. * Gates SharedArrayBuffer sharing behind that primitive. * Exposes it through self.crossOriginIsolated. * Makes document.domain return before it mutates the origin. * Makes agent clusters keyed on origin. Tests: * web-platform-tests/wpt#17719 * web-platform-tests/wpt#17760 * web-platform-tests/wpt#17761 * web-platform-tests/wpt#17802 * web-platform-tests/wpt#17909 * web-platform-tests/wpt#18543 * web-platform-tests/wpt#20116 * web-platform-tests/wpt#22358 Closes #4732. Closes #5122. Closes #5444. Follow-up: #5435 (and #5362).
|
Is the idea here that there would not necessarily be a user-exposed permission, just a way to delegate to subframes? |
|
Yep, that's the idea. |
This allows a document to control whether nested documents can access features that require cross-origin isolation, as an additional restriction on top of requiring COOP+COEP. Fixes #5435.
A top-level navigation response with Cross-Origin-Opener-Policy set to same-origin and Cross-Origin-Embedder-Policy set to require-corp will create a cross-origin isolated browsing context group. And all agent clusters therein will be cross-origin isolated as well (shared and service workers can still not be, as they sit on the side). This change also: * Gates SharedArrayBuffer exposure behind that primitive for web compatibility reasons. * Gates SharedArrayBuffer sharing behind that primitive. * Exposes it through self.crossOriginIsolated. * Makes document.domain return before it mutates the origin. * Makes agent clusters keyed on origin. Tests: * web-platform-tests/wpt#17719 * web-platform-tests/wpt#17760 * web-platform-tests/wpt#17761 * web-platform-tests/wpt#17802 * web-platform-tests/wpt#17909 * web-platform-tests/wpt#18543 * web-platform-tests/wpt#20116 * web-platform-tests/wpt#22358 Closes whatwg#4732. Closes whatwg#5122. Closes whatwg#5444. Follow-up: whatwg#5435 (and whatwg#5362).
This allows a document to control whether nested documents can access features that require cross-origin isolation, as an additional restriction on top of requiring COOP+COEP. Fixes whatwg#5435.
Implementing whatwg/html#5435. This change itself doesn't change the behavior (yet) as Agent::IsCrossOriginIsolated() always returns false. Please see https://crrev.com/c/2247463 for details. With subsequent changes this will affect the value of WindowOrWorkerGlobalScope.crossOriginIsolated. Bug: 1018680 Change-Id: I952197efe1b6a591cee39a28519402e22598928c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2247940 Auto-Submit: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#784696} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: 23d3561c3e0fcd894052afd9a6c39c3e512e53b2
#4734 proposes that all crossOriginIsolated contexts be allowed to postMessage() SharedArrayBuffer. However, @ulan brought up the fact that this makes COOP+COEP adoption dangerous.
Consider the scenario where
outer.comalready embeds a semi-trustedinner.com. The decision to embedinner.comwas made before COOP+COEP existed.Now
outer.comwants to useSharedArrayBuffer. Soouter.comenables COOP+COEP, and convincesinner.comto add appropriate headers as well.Suddenly
outer.comis now vulnerable to Spectre attacks frominner.com. To restore the security they had in a pre-COOP+COEP world, they need to auditinner.com(and its transitive dependencies) to ensure that they do not abuseSharedArrayBuffer. In practice, this is likely not feasible.We propose that
SharedArrayBuffernot be automatically enabled in all crossOriginIsolated frames. Instead, we would define a new feature policy forSharedArrayBufferand other potentially process-wide features (like the memory measurement API, or maybe preciseperformance.now()). This feature policy would have a default allowlist of'self', so that same-origin frames can still use these APIs, but cross-origin frames would need to be explicitly delegated permission to use these APIs, with something like<iframe allow="powerful-features">. (Name TBD.)/cc @mikewest since this seems rather related to https://github.com/mikewest/securer-contexts.
The text was updated successfully, but these errors were encountered: