Add disallowdocumentaccess iframe attribute to force a creation of a new agent cluster map

[dtapuska]

Add a disallowdocumentaccess iframe attribute to prevent access from one document to another.

Add steps that cause a newly created browsing context to either inherit the agent cluster map or
create a new one.

Given a nested browsing context (or child) with the disallowdocumentaccess parameter and an
iframe outside of the tree, the two browsing contexts will not be able to share data because
they will have different Agents (even if they are same-origin-domain).

Fixes #4435

• At least two implementers are interested (and none opposed):
  • …
  • …
• Tests are written and can be reviewed and commented upon at:
  • …
• Implementation bugs are filed:
  • Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=961448
  • Firefox: …
  • Safari: …

(See WHATWG Working Mode: Changes for more details.)

---

💥 Error: Wattsi server error 💥

PR Preview failed to build. (Last tried on Jan 15, 2021, 7:59 AM UTC).

More

PR Preview relies on a number of web services to run. There seems to be an issue with the following one:

🚨 Wattsi Server - Wattsi Server is the web service used to build the WHATWG HTML spec.

🔗 Related URL

<html>
<head><title>504 Gateway Time-out</title></head>
<body bgcolor="white">
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.

[dtapuska]

@annevk @domenic
If this approach is ok. I'll continue iterating with tests and other implementation bugs.

[domenic]

Only a minor nit on my part. Otherwise, this seems to make sense to me, although @annevk is the expert.

I think the remaining "problem" is a preexisting one: that we only declaratively say "these agents are in the same cluster." For a long time @annevk and I have wanted to move to a model that explicitly allocates agents and agent clusters when new documents are created. That would make it clearer that at agent creation time, we consult the feature policy header/iframe's allow attribute, and use that to influence which agent cluster the agent goes in.

But, I see no problems with introducing this on top of the current paradigm. There is nothing introduced here that will make that future clarification harder to do.

This does mean we're closing the door on being able to deliver feature policy via in-document mechanisms like <meta>, since by that time it'll be too late (the agent will already be in its cluster). I suspect we're already pretty committed to that path, but /cc @clelland to make sure.

[domenic]

This doesn't work if O is a Location object. I think you want to check O's relevant global object.

Also, note how prevailing style is , then return X, not return X.

[annevk]

I don't think the primitives you're building this on are ready.

[annevk]

Feature Policy is being redesigned, so this doesn't quite fit I think, given https://github.com/w3c/webappsec-feature-policy/issues/282#issuecomment-486267212. This would be a sandboxing policy of sorts, but the exact framework for that isn't designed yet as per w3c/webappsec-permissions-policy#300.

[clelland]

Could this feature fit the permission-style model? I don't think it requires opt-in from an embedded page, as that page could have been loaded in isolation anyway, right?

[annevk]

It only fits if it's not allowed by default, which doesn't make sense? There's also no user involved which makes me rather wary as well.

[annevk]

Explicitly allocating agent clusters is tracked by #4361. All help welcome!

[clelland]

Re: declaring feature policy within HTML markup -- the one strong call we've had for this is for Client Hints. See @yoavweiss's and @eeeps's comments here. I'm not sure how late we can possibly defer the agent cluster allocation, by the time we're pre-scanning the document, can we still make that decision?

[annevk]

In theory and with sufficient refactoring of the HTML Standard, but I really don't think we should be designing for servers that cannot set headers anymore. We end up with a large number of edge cases that go undertested and underdefined and make it really hard to figure out what's going on.

[yoavweiss]

Apologies for not commenting here sooner.
I don't think this is just limited to Client Hints. Talking to e.g. analytics vendors about trying out feature policies for their customers in reporting-only mode, this is an industry-wide problem.

For deployment purposes, ideally we'd be able to turn on feature policies from script (e.g. by dynamically adding Feature Policy meta tags). That would mean that users that add <script src=fooanalytics.js> can magically also get reports regarding the feature policies that they violate, and those reports can evolve over time.

If the above is not feasible, having an HTML option would enable motivated front end devs to change their markup and add the required policies. Foo Analytics would also be able to add that piece to their published markup snippet, so that future devs will have that by default (even if that would tend to freeze in time the kind of FPs that they are tracking).

Finally, if only headers are supported, that means that only highly motivated developers with access to their backend code will be able to turn on FPs. So while making it easiest to specify and potentially implement (I haven't looked), it will be the worst option for the wide-scale deployment that we want Feature Policies to have.

[eeeps]

developers with access to their backend code

As Feature-Policies generally control front-end behavior, this seems especially worrying.

My biggest take away from the fact that 98% of devs, when given a choice, enabled Client Hints using HTML rather than HTTP, was not that Client Hints need HTML delivery, but rather that front-end-developers do.

[dtapuska]

I've rebased this on top of the refactoring I've done for feature policy, and agent cluster definition (squashed commit of #4617) so hopefully this makes a whole lot more sense.

This does not address the request to specify this separation via meta tags which I believe is fundamentally impossible because the DOM is already created by then and this needs to be done before the Javascript global is created. I intend to proceed with an Intent to Implement and TAG review based on this current direction.

[dtapuska]

We've pivoted a bit on this feature and are looking for it to be an iframe attribute instead. This causes a nested browsing context group to be created at the iframe itself and then causes all further nested browsing context groups to be in different agents and then they can't possibly share data only via 'postMessage'

[annevk]

I don't really understand how this works. A browsing context group exclusively holds top-level browsing contexts. Browsing contexts also cannot be same origin-domain or some such.

[dtapuska]

I don't really understand how this works. A browsing context group exclusively holds top-level browsing contexts. Browsing contexts also cannot be same origin-domain or some such.

What I am thinking is that the browsing context group doesn't hold a set of top-level browsing contexts but aset of browsing contexts. If you set the iframe attribute it will create a new nested browsing context group. This maps kind of what we have in Chrome with SiteInstance.

The alternate is to change the AgentClusterMap to be on the browser context itself instead of the group. Then when we create a nested browser context we can either inherit the agent cluster map or not.

[annevk]

From its name a SiteInstance pretty much has to be an agent cluster, I think. A browsing context holds a sequence of documents that can have different origins from each other.

[dtapuska]

From its name a SiteInstance pretty much has to be an agent cluster, I think. A browsing context holds a sequence of documents that can have different origins from each other.

Alright placed the agent cluster map on the browsingContext. Hopefully this makes sense then.

[annevk]

I don't really see how I'm afraid. If A1 popups A2, how would they share an agent cluster across two browsing contexts with this setup?

[dtapuska]

I don't really see how I'm afraid. If A1 popups A2, how would they share an agent cluster across two browsing contexts with this setup?

As discussed on IRC the browsing context inherits the same reference of the agent cluster map (I'm not sure exactly how to detail this in the spec).

After explanation these were your comments:
"I guess that makes sense; I'm still not a 100% on why we want to be doing this and am somewhat concerned that you can frame the top-level again and it being sandboxed from itself
Maybe we should couple this to #5273 somehow?
So I understand the effects of your proposal, it's just not clear to me it's worth doing on its own and if it's okay to do without opt-in of the affected sites"

[annevk]

@dtapuska I suspect this can be closed?