Re: [whatwg/fetch] Split 'document' destination into 'frame' and 'iframe'. (#948) from arturjanc on 2019-11-06 (public-webapps-github@w3.org from November 2019)

From: arturjanc <notifications@github.com>
Date: Tue, 05 Nov 2019 23:56:59 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/948/c550190742@github.com>

I think we all want to make a decision here and I don't want to derail a productive discussion, but IMHO there are 3 problems with `mode`=`navigate` for `embed`/`object`:

1. It seems counter-intuitive: in my mental model an `<embed>` or `<object>` work similarly to `<img>` or any other element that loads a non-document subresource. The fact that browsers create a browsing context for some MIME types seems like an implementation detail; I doubt developers are aware of this or rely on it -- I've never seen a browsing context created via `embed` be navigated like an iframe.
2. It is currently unsafe (with respect to Fetch Metadata) because it allows loading images via `<embed>`, and Firefox ignores `X-Frame-Options`/`frame-ancestors` in this case. If a site prevents `cross-site` loading of images but allows `cross-site` navigations, and sets `X-Frame-Options` to protect from embedding, an attacker will still be able to load images cross-site via `<embed>` and e.g. exflitrate them via Spectre.
3. It will complicate writing Fetch Metadata policies that protect from framing because developers will need to consider framed loads via `object` and `embed`, in addition to `frame` and `iframe`. (But this would arguably be the same with @mikewest's `no-cors-on-initial-load-and-then-navigate` model.)

Basically, I think that `navigate` here prioritizes what makes sense to a browser over what makes sense to web developers, and `no-cors` would be a better fit (for a developer, though not necessarily for a browser) and be safer. That said, if we can guarantee that `<embed>`/`<object>` always works exactly the same as an iframe, e.g. respects `X-Frame-Options` and doesn't give the embedder any new ways to interact with the loaded resource such as triggering events that a load in an iframe wouldn't trigger, then I think I can live with `navigate`.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/948#issuecomment-550190742

Received on Wednesday, 6 November 2019 07:57:01 UTC