Re: [sysapps/runtime] cross origin XHR in packaged apps from Marcos Caceres on 2013-03-27 (public-sysapps@w3.org from March 2013)

From: Marcos Caceres <w3c@marcosc.com>
Date: Wed, 27 Mar 2013 18:35:36 +0000
To: John Lyle <john.lyle@cs.ox.ac.uk>
Cc: public-sysapps@w3.org
Message-ID: <2292EE18478341E4BD3119BA87CF8B22@marcosc.com>

On Wednesday, 27 March 2013 at 13:03, John Lyle wrote:

> I think the main value of an 'allow-origin' manifest field would be to implement least-privilege restrictions defined by the application itself, rather than access control defined by the remote origin.  
>  
> I agree that CORS should be respected for browser-based apps (all hosted apps?)
Yes, I agree. These are just web pages after all so they should respect it by default.   
> For packaged apps, we could reuse the CSP 'connect-src' directive to optionally constrain XHR/WebSockets. In Chrome, you can add CSP directive to the manifest of packaged apps - https://developer.chrome.com/beta/apps/app_csp.html - as well as defining cross-origin permissions for extensions - https://developer.chrome.com/extensions/xhr.html.

It's not clear to me what the Origin: header is set to in Chrome extensions?  
> This doesn't seem to be the case in the current sysapps runtime spec. My opinion is that, for packaged apps, it makes sense to support CSP rules included in the manifest and ignore CORS, as this is the behaviour of native apps.

I don't have a strong opinion about this…. but I think the Google approach is kinda messy (and subverts the client/server trust model).  

Maybe, what you would want to do is say that XHR is allowed to override the Origin: header (to a restricted list) when performing a request.

So, in the manifest, you would have something like:

"xhr-origin": [ "http://www.foo.com/", "http://bar.com/"  ]

And then:  

var xhr = new XMLHttpRequest();
//if it doesn't match an allowed one, then throw
xhr.setRequestHeader("Origin", "http://www.foo.com/");

Or some such… might help overcome the app:// issue in a way that does is still CORS friendly (and somewhat secure in that only explicit origins are allowed).  
>  
> If an application has access to a raw socket API, then any origin-related policies seem a bit futile and the CSP directive ought to be "connect-src *;"
>  
> Other state of the art is WARP - http://www.w3.org/TR/widgets-access/.
WARP closely matches what Google is doing. However, it doesn't use a "*"-based permissioning system because we thought it was too easy to shoot yourself in the foot… well, except in the case were you just declare <access origin="*">, but that one was easy to catch on code review (or through other UA warnings).

Received on Wednesday, 27 March 2013 18:36:09 UTC