Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider adding a [CrossOriginIsolated] extended attribute. #875

Closed
mikewest opened this issue Apr 29, 2020 · 4 comments · Fixed by #883
Closed

Consider adding a [CrossOriginIsolated] extended attribute. #875

mikewest opened this issue Apr 29, 2020 · 4 comments · Fixed by #883

Comments

@mikewest
Copy link
Member

We have a [SecureContext] extended attribute that governs whether or not a given construct is exposed within a given context. I'd suggest that something similar would be helpful as we begin restricting access to APIs based on whether or not a given context is cross-origin isolated.

The Securer Contexts proposal talks about this attribute in terms of [SecureContext=Isolated], but I now think it's probably a better idea to create a new attribute ([CrossOriginIsolated]) for this purpose, as it would give us the opportunity to reformulate [SecureContext] in the future to something more specifically related to the aspect of security it actually governs.

That is, for upcoming APIs like performance.measureMemory(), I'd like them to be able to define the API as limited to isolated and secure contexts in a standardized way. Perhaps along the lines of:

partial interface Performance {
  [SecureContext, CrossOriginIsolated] Promise<MemoryMeasurements> measureMemory();
}

That would have the effect of exposing the method only when the context is cross-origin isolated via COOP and COEP (as defined in whatwg/html#4732 (comment)).

WDYT?

@annevk @camillelamy @domenic

@annevk
Copy link
Member

annevk commented Apr 29, 2020

Is whatwg/html#5435 still something that is being pursued by Google? (It would be doable in Firefox, but I'm not sure we want to lead with shipping that as well.)

Note that if you have [CrossOriginIsolated] there should be no need to list [SecureContext]. It's effectively a subset.

@mikewest
Copy link
Member Author

Is whatwg/html#5435 still something that is being pursued by Google?

I think so? Either @arturjanc or @ulan pinged me about it earlier this week, and it seems like a reasonable thing to do that this would layer on top of.

Note that if you have [CrossOriginIsolated] there should be no need to list [SecureContext]. It's effectively a subset.

If we keep [SecureContext], I think I'd suggest that folks list both for clarity.

(As part of Securer Contexts, I'd secretly like to deprecate [SecureContext] by making it the default, and annotating all unrestricted APIs with [UnsafelyExposedToNetworkAttackers] or something similar... but that's a bit off topic for this particular issue).

@ExE-Boss
Copy link
Contributor

Make sure to include the Legacy prefix, eg.: [LegacyUnsafelyExposedToNetworkAttackers] or [LegacyInsecureContext], if the former is deemed too long for something that would be listed on many, many¹ APIs.


  1. I don’t have an exact figure, but I’d expect that at least ⅔ of all Web APIs don’t currently have [SecureContext].

@mikewest
Copy link
Member Author

My hope is that we'd mostly be putting the attribute on interfaces rather than literally every attribute or method. I filed #876, which is probably a better place for that conversation. :)

mikewest added a commit to mikewest/webidl that referenced this issue May 11, 2020
WebIDL currently defines a `[SecureContext]` extended attribute that
governs whether or not a given construct is exposed within a given
context. This patch defines a similar `[CrossOriginIsolated]` attribute
to govern exposure based on cross-origin isolation.

This supports the broader Securer Contexts proposal
(https://github.com/mikewest/securer-contexts), which aims to guide
spec authors to combat threats we've started paying more attention to
over the last few years.

Closes whatwg#875.
domenic pushed a commit to mikewest/webidl that referenced this issue Sep 16, 2020
WebIDL currently defines a `[SecureContext]` extended attribute that
governs whether or not a given construct is exposed within a given
context. This patch defines a similar `[CrossOriginIsolated]` attribute
to govern exposure based on cross-origin isolation.

This supports the broader Securer Contexts proposal
(https://github.com/mikewest/securer-contexts), which aims to guide
spec authors to combat threats we've started paying more attention to
over the last few years.

Closes whatwg#875.
domenic added a commit that referenced this issue Sep 21, 2020
Web IDL currently defines a [SecureContext] extended attribute that
governs whether or not a given construct is exposed within a given
context. This patch defines a similar [CrossOriginIsolated] attribute
to govern exposure based on cross-origin isolation.

This supports the broader Securer Contexts proposal
(https://github.com/mikewest/securer-contexts), which aims to guide
spec authors to combat threats we've started paying more attention to
over the last few years.

Closes #875.

Co-authored-by: Domenic Denicola <d@domenic.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

3 participants