Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Govern dns-prefetch and preconnect with CSP #9035

Open
annevk opened this issue Mar 16, 2023 · 5 comments
Open

Govern dns-prefetch and preconnect with CSP #9035

annevk opened this issue Mar 16, 2023 · 5 comments
Labels
integration Better coordination across standards needed topic: resource hints (inc. preload)

Comments

@annevk
Copy link
Member

annevk commented Mar 16, 2023

At the very least the default policy ought to be enforced.

cc @noamr

@annevk annevk added integration Better coordination across standards needed topic: resource hints (inc. preload) labels Mar 16, 2023
annevk pushed a commit that referenced this issue Mar 16, 2023
Note that this still doesn't include the CSP bits, which are also not implemented anywhere for this & preconnect. That's tracked by #9035.

Closes #9015.
@annevk
Copy link
Member Author

annevk commented Mar 16, 2023

I guess ideally this is done by Fetch, but we don't want to enforce it for all callers of "resolve an origin". Perhaps we can make it such that internal callers in Fetch end up bypassing it. (If we do that I should move this issue to the Fetch repository.)

@noamr
Copy link
Contributor

noamr commented Mar 16, 2023

My thinking about it is to use have a "fake" request with prefetch initiator and perform a CSP check on that (with the newly defined CSP rules for prefetch).

We can wrap connect+resolve in Fetch with a call that accepts a client instead of partition key that makes this call.

btw a very different alternative I thought about is to have a "preconnect" or "dns-prefetch" destination, and exit early inside fetch based on that destination. WDYT @annevk ?

@annevk
Copy link
Member Author

annevk commented Mar 16, 2023

I think overloading "fetch" is probably undesirable. E.g., by the time it calls obtain a connection it will have already spun up service workers and such. And other specifications that should invoke "obtain a connection" (e.g., WebRTC and WebTransport) should also be subject to CSP. They should also be subject to some other things, such as port blocking: https://github.com/whatwg/fetch/issues?q=is%3Aopen+is%3Aissue+label%3A%22topic%3A+connections%22.

However, you do make me wonder if "dns-prefetch" is doing the wrong thing currently. If a proxy is configured that doesn't return "DIRECT", should we even be invoking resolve an origin? That's probably bogus.

cc @ricea

@noamr
Copy link
Contributor

noamr commented Mar 16, 2023

Good point regarding proxies, I'll fix that together with figuring out the CSP bit.

@noamr
Copy link
Contributor

noamr commented Mar 21, 2023

Define preconnect and dns-prefetch with CSP whatwg/fetch#1620

whatwg/fetch#1620

noamr added a commit to noamr/fetch that referenced this issue Apr 24, 2023
noamr added a commit to noamr/fetch that referenced this issue May 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integration Better coordination across standards needed topic: resource hints (inc. preload)
Development

No branches or pull requests

2 participants